Voice-over-IP Penetration Test
Voice-over-IP and Unified Communications can be found within most organisations and they are too often ignored by security professionals. Cyber-criminals and other adversaries, however, do pay attention. VoIP’s security exposure includes threats that affect telephony. This includes toll fraud, voicemail hacking, social engineering attacks and telephony denial of service. VoIP systems are also vulnerable to the same security issues that affect the operating system of the phone equipment (often being based on Linux), network based attacks and web application vulnerabilities. Many VoIP systems are being exposed externally so that remote workers can receive their phone calls and messages anywhere in the world.
As a number of organisations found out, exposing the phone system to the Internet does not come without its risks. Attackers who can abuse the phone system can run hefty bills sometimes topping millions of dollars. Additionally, adversaries may be able to spy on confidential phone calls when abusing certain phone system features.
What do we cover?
The scope of an VoIP penetration test can be very broad. The following are some examples of common attack targets that are often part of a voice-over-IP penetration test:
- PBX servers such as Avaya Aura, Avaya IP Office, Cisco Unified Communications Server and Asterisk PBX
- Hardware phones and conference call equipment on the network such as Tandberg/Cisco equipment
- Mobile softphone Apps for example, Avaya one-X
- Session Border Controllers (SBCs) such as Acme Packet (Oracle)
- SIP servers such as Kamailio and SEMS
- Customer premises equipment (CPE) such as DSL and cable modems which often provide phone access through SIP or other protocols
The following are some of the techniques that are typically employed in a VoIP pentest:
- SIP call relaying / dialplan security bypass, i.e ways in which remote attackers can make calls for free at victim organisation’s expense
- SIP extension enumeration, i.e. ways that attackers can detect valid SIP extensions or SIP addresses, e.g. by abusing SIP
- Anonymous SIP methods, i.e. SIP methods that do not require authentication and may leak sensitive information or lead to fraud
- Weak passwords on SIP systems leading to SIP extension hijacking
- Vulnerabilities affecting the products / software packages (i.e. Avaya’s phone system)
- Denial of Service due to INVITE flood attacks and similar issues (if required)
How does the process look like?
Most of our engagements follow these steps:
- First step is that you contact us
- We ask you a number of questions to understand what you have in mind, the goals for the exercise and the scope
- We perform a scoping exercise to better understand the size of the project; in the case of an VoIP penetration test, the scoping exercise often involves answering questionnaires to better understand the exposure and therefore tailor our proposed work to your needs
- We verify with you our scope where appropriate
- We work on a proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
- The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
- Upon completing the tests, we work on the reports and often provide a brief report of the main findings so that your staff are informed of the results immediately
- The deliverables are provided to you
- Often the process also includes testing of the security fixes once applied
What are the deliverables?
At the end of the project, the client usually receives the following:
- Executive report, which is an easy to follow 4 page report that includes information about the penetration test, list of the findings and a short explanation of the security fixes or mitigation techniques
- Technical report, which includes the following sections:
- Introduction, which describes the scope, methodology and purpose of the work
- Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
- Findings and recommendations which are categorised as High security threats, Other security threats and Other concerns and recommendations
- Each finding that is considered a security threat includes:
- A description of the security issue as it affects the target system
- Our assessment of the impact of the vulnerability
- Details on how to reproduce the issue found
- Solutions and recommendations, which are tailored for the target audience and can go into quite some detail
- Other material is sometimes provided such as:
- Video demonstrations showing exploitation of your systems
- Dedicated exploit code to reproduce the security issues found
- When the tests are done on-site, we often brief the involved executives and/or technical team and discuss solutions to the security issues found
- Similarly, conference calls can be used when the work is done remotely
What costs can one expect?
Cost is dependent on the size and complexity of the system on test and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.