2. Project scope
• Understanding VoIP
• Threat profiling of VoIP application
• Develop the test case and
Methodologies to test VoIP application
• Sample testing of one VoIP application
and report presentation
• Mitigation strategies
• Conclusion
3. What is VoIP?
Routingof voice conversations over the
Internet or through any other IP-based
network.
4. Benefits
VoIP enables convergence of data,
voice, and video onto single network.
Attractive opportunities
– Reducing costs
– Reducing complexities
– Enabling progressive business gains
5. VoIP implementations
Business-grade VoIP telephony
– Designed specifically for business grade usage
Softphones
– X-lite, 3cx , Express Talk
Instant Messaging voice services
– Application such as AIM, MSN, Apple iChat offer ‘voice chat’
functionality
Mobile VoIP
– Requires mobile telephone with 3G or wireless connectivity
– Using a mobile version of a Softphone mobile devices and
telephones are capable of offering VoIP services
VoIP handsets
– Requires a VoIP handset from the service provider
– Offer call functionality and services similar of typical PSTN
services
6. Protocols
Signaling Protocol
– Create, modify, and terminate sessions
with participants
– Conferences
– Proxies
– Authentication
Transport /Carrier Protocol
– Manages the actual voice data
7. Protocols
Session Initiation Protocol (SIP)
– Signaling protocol
– Session Initiation Protocol
– Application layer control protocol for
initiating VOIP sessions
– Currently most favored protocol for new
systems
8. Protocols
H.323
– One of the earliest sets of VoIP standards
by ITU-T
– Handles voice, video and data conferencing
– Some limitations, but most VoIP traffic
utilizes this today
Real-time Transport Protocol (RTP)
– Used for media transfer by other protocols
– Fast, scalable and efficient
– RTP uses UDP
9. Most Common VOIP Security
Mistakes
1. Treating VOIP security the same way as Network
security
2. Not treating VOIP security the same way as Network
security
How it’s the Same How it’s Different
• Uses mostly the same • Some unique protocols
protocols • Traditional Security devices
• Uses mostly the same (Firewalls can disrupt service)
Operating Systems • People treat it like the old phone
• Many of the same system
threats
11. Voice over IP Threats
Threats are categorized into following
parameters.
Threats against availability
Threats against confidentiality
Threats against integrity
Threats against social context
12. Voice over IP Threats
Against Availability Against Confidentiality
Call flooding Eavesdropping
Toll Fraud Call pattern Tracking
Call hijacking Reconstruction
Fuzzing
TDOS
13. Voice over IP Threats
Against Integrity Against Social context
Message
Misrepresentation
Alteration Call SPIT (Spam over
Call Rerouting Internet Telephony )
Media Alteration
Vising
14. What are the Threat Vectors?
OS Exploits
Signaling Attacks
Endpoint Admin Privilege Exploits
Real Time Protocol (RTP) Attacks
DoS Attacks
IP PBX &Telephony Server Exploits
15. Specialized Hacking Tools
BackTrack Penetration Testing Distribution
– www.backtrack-linux.org/
Wireshark (http://www.wireshark.org)
– Packet Sniffer
Cain and Abel (http://www.oxid.it)
– Password cracker
– ARP spoofing
– RTP Playback
SiVuS (http://www.vopsecurity.org/html/tools.html)
– VoIP Vulnerability Scanner
– General Purpose VoIP packet generation, spoofing,
testing tool.
18. Mitigation Strategies
Create VOIP Specific Security Policies
Segmentation as appropriate
– Utilize separate VLANs for voice and data
Device Hardening
– Do not use default passwords
– Turn off unnecessary services
– Apply vendor supplied patches in a timely manner
– Perform vendor installation security checklist to harden
applications
Pay attention to Security Risk Assessments and
planning against the VOIP infrastructure
19. Key Mitigation Strategies
Apply Encryption where possible
Use tools to test the network
Utilize VoIP aware Firewalls, Intrusion Prevention Systems
Continue to protect against traditional system attacks (Toll
Fraud, Modem Security, Social Networking Attacks & etc.)
Avoid Single point of failure
20. Conclusion
VoIP is established as the future of
telephones
Security is critical when designing,
implementing and maintaining VoIP
systems
VoIP technology should there by provide a
balance between security and business
needs .
21. References
VOIPSA
– http://www.voipsa.org/
The VOIP Dilemma SANS Institute
– http://www.sans.org/rr/whitepapers/voip/1452.php
NIST - Security Considerations for Voice Over IP
Systems,
– http://csrc.nist.gov/publications/nistpubs/800-
58/SP800-58-final.pdf
IP Telephony & VoIP: Security technical
implementation guide
– http://csrc.nist.gov/pcig/STIGs/VoIP-STIG-V2R2.pdf