Voice-over-IP (VoIP) Penetration Test

Voice-over-IP (VoIP) Penetration Test

Introduction

Voice-over-IP and Unified Communications are too often ignored by security professionals. Cyber-criminals and other adversaries, however, do pay attention. VoIP's security exposure is greatly affected by IP telephony-specific threats which includes toll fraud, voicemail hacking, social engineering attacks and telephony denial of service. VoIP systems are also vulnerable to the same security issues that affect the operating system of the phone equipment (often being based on Linux), network based attacks and web application vulnerabilities. Many VoIP systems are being exposed externally so that remote workers can receive their phone calls and messages anywhere in the world.

As a number of organisations found out, exposing the phone system to the Internet does not come without its risks. Attackers who can abuse the phone system can run hefty bills sometimes topping millions of dollars. Additionally, adversaries may be able to spy on confidential phone calls when abusing certain phone system features. For certain organisations, when the communications system is unavailable, large monetary sums are lost in revenues.

At Enable Security, we have extensive experience testing the security of VoIP and UC systems and have developed internal specialized tools such as SIPVicious PRO and fuzzers which gives us the competitive advantage.

What do we cover?

The scope of a VoIP penetration test depends on the target system on test. The following are some examples of common attack targets that are often part of a Voice-over-IP penetration test:

  • PBX servers such as Avaya Aura, Avaya IP Office, Cisco Unified Communications Server and Asterisk PBX
  • Hardware phones and conference call equipment on the network such as Tandberg/Cisco equipment
  • Mobile softphone Apps for example, Avaya one-X
  • Telecom solutions and Unified Communications systems such as Broadworks (Cisco)
  • Session Border Controllers (SBCs) such as Acme Packet (Oracle) and solutions based on Kamailio, OpenSIPS, Audiocodes and Sonus networks
  • Customer premises equipment (CPE) such as DSL and cable modems which often provide phone access through SIP or other protocols

Our VoIP penetration testing methodology includes the following techniques that are typically employed in a VoIP pentest:

  • SIP call relaying / dialplan security bypass, i.e ways in which remote attackers can make calls for free at victim organisation's expense
  • SIP extension enumeration, i.e. ways that attackers can detect valid SIP extensions or SIP addresses, e.g. by abusing SIP REGISTER methods
  • SIP digest leak attacks on vulnerable SIP endpoints and SIP proxies
  • RTP bleed and RTP injection attacks
  • Anonymous SIP methods, i.e. SIP methods that do not require authentication and may leak sensitive information or lead to fraud
  • Caller-ID spoofing, whether due to peer-to-peer SIP or proxied over vulnerable systems
  • Weak passwords on SIP systems leading to SIP extension hijacking
  • Vulnerabilities affecting the products / software packages (i.e. Avaya's phone system)
  • Denial of Service due to INVITE flood (INVITE of death) attacks, REGISTER flooding and similar issues
  • Denial of Service on the media handling due to RTP Flooding
  • Dialplan injection attacks and other attacks specific to the platform's dialplan handling
  • Call interception, eavesdropping due to lack of media or signalling encryption
  • When testing a local network infrastructure, VLAN hopping may be required
  • XMPP attacks for several XEPs (XMPP protocol extensions) and custom implementations
  • Weak authentication for provisioning on TFTP, FTP, and HTTP protocols
  • Asterisk and Kamailio security configuration review

How does the process look like?

Most of our engagements follow these steps:

  1. First step is that you contact us, so that discussions on what you have in mind take place to identify the goals for the exercise and the scope
  2. With your help, we perform a scoping exercise to better understand the size of the project
  3. We provide you with our proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
  4. The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
  5. Upon completing our work, we provide you with our technical and executive reports in addition to any other deliverables
  6. Testing of the security fixes finally takes place, and the reports are updated to reflect results from the retest

What are the deliverables?

At the end of the project, we provide the following:

  • Executive report, which is an easy to follow 4 page document that includes:
    • information about the penetration test
    • list of the findings rated by severity
    • a summary of the results, giving our honest impression of the system
    • our suggestions on what needs to be done to address the vulnerabilities found and prevent similar ones in the future
  • Detailed technical report, which includes the following sections:
    • Introduction, which describes the scope, methodology and purpose of the work
    • Findings and recommendations, each categorized according to vulnerability severity
    • Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
  • Other material is often provided such as:
    • Dedicated exploit code and tools to reproduce the security issues found
    • Conference calls and online chats to brief the involved executives and technical teams on our findings
    • Assistance with addressing the vulnerabilities found
    • Follow-up tests once security fixes have been applied

What costs can one expect?

Prices for similar penetration tests start at 8000 EUR. Cost is dependent on the size and complexity of the system on test and the level of rigour in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.

Get in touch