Penetration Testing for VoIP
With VoIP penetration testing, iNet|Detect determines the risk of a VoIP attack. Although VoIP technology corresponds to current business needs, it may introduce additional risks such as call tracking, call data manipulation, listening or unauthorised wiretapping of phone calls.iNet|Detect’s testing includes assessing the VoIP infrastructure and determining the risks of a classic internal network infrastructure attack. We evaluate the different VoIP components from a security perspective and their capability to maintain the confidentiality, integrity and availability of the environment and related traffic. Our testing generally includes investigating the authentication mechanisms, as well as the potential interception, interruption or manipulation of the exchanged information between the client and VoIP server.
VoIP penetration testing is designed to find the “open window” into your system and close it. Rigorous testing is completed on the transmission technologies to determine where it is possible for the system to be breached. You are mistaken if you believe that the IP phones and related software have enough security controls in-built that they do not need any additional enhancements.
How can the VoIP system be compromised or how does it allow unethical and criminal intent be carried out?
There are many ways to breach VoIP security controls; eavesdropping for example is an old as the telephone itself. Inadequate security controls can lead to attackers accessing the server data through the transmission technology; individuals can effectively steal telephone calls; service interruptions and the use of sniffing tools.
Testing Process
VoIP penetration testing is a process whereby an attempt is made to purposely manipulate the VoIP system. All entry points into the WAN and/or LAN are tested and an attempt is made to gain access into the VoIP infrastructure. iNet|Detect will attempt to penetrate both the VoIP system and then use it to see how deep the attacker can penetrate into the computer system.
A VoIP test can be standalone or it can be one step in a larger security testing program. For example, password weaknesses can be tested for the component VoIP system or for the larger company-wide system. Naturally the broader the testing, the more secure the system will be after implementing recommended controls.
With VoIP Penetration, iNet|Detect will attempt an authorised penetration of the computer system. These include:
- Test ability to remotely access data network using VoIP technologies
- Look for vulnerabilities in system configuration enabling unauthorised access into system
- Test protection controls at each network layer
- Test remote IP phone locations
- Test ability to add IP address on the VoIP system through remote access
- Attempt to enter the main servers
- Look for ways for hackers to manipulate system at any point including Ethernet and cabling connections
- Look for vulnerability allowing sniffer software able to collect protocols
- Test traffic switching
- Determine if the ability exists to collect VoIP data
- Firewall testing between voice and data including potential for Tunnelling Attacks
- Wireless network security
- Testing of intrusion detection evasion capabilities
