AOH :: IS1009.HTM

VoIP security auditing is becoming more and more complex ... Not!

VoIP security auditing is becoming more and more complex ... Not!
VoIP security auditing is becoming more and more complex ... Not! 

By Ari Takanen
August 15, 2008

I am curious how people can conduct penetration tests of a complex VoIP 
system when they barely understand how VoIP infrastructure works. Today, 
security people are still stuck to auditing practices from 1990s. When 
asked to do a penetration test, a consultant often is only looking at 
past issues that can be detected using various vulnerability scanners. 
Very few of them know that vulnerability scanners have extremely bad 
coverage of vulnerabilities in VoIP solutions. And even if the tools did 
know VoIP, who really cares about past issues that might have been 
relevant several years ago.

Relying on vulnerability scanners and detection of past flaws is not 
very professional, but it is understandable practice when you study the 
skill-sets of individual consultants conducting penetration testing. 
Although nowadays every security consultant can do a web audit (some of 
them can even read HTTP), very few of them can even name the different 
network components used in a VoIP infrastructure ("What is this MGW 
here?"). Most security consultants have no idea what a widely used 
signaling protocol such as SIP (Session Initiation Protocol) can do. 
Even less people are aware of the encryption techniques available for 
both VoIP signaling and media, nor would they pay any attention on the 
lack of encryption in your VoIP.

When entering the VoIP auditing practice, the first target for all 
security experts is to understand VoIP. Maybe you have been postponing 
this because VoIP sounds complex? Fortunately VoIP is so much fun to 
learn! VoIP is such a perfect example of deployment where you need to 
know all the basics of communication technologies including all security 
techniques. VoIP does not re-invent the wheel, but reuses all best 
practices from both IP communications and legacy telephony. But where to 

That is what we tried to do in the book I wrote with Peter: A complete 
analysis of various security aspects of VoIP. The feat was not easy, 
especially given the limited time we had for the project. In order to 
teach future academics and network engineers, Peter and I tried to 
systematically go through the security risks and vulnerabilities 
associated with VoIP networks and offer proven, detailed recommendations 
for securing them. Even when drafting those chapters, we noted that it 
is not enough to just list exploits and security techniques, but instead 
we had to explain at least the basics of the actual techniques that make 
VoIP work. You cannot secure something that you do not really 


Visit Defcon Pics - Defcon Memory Repository 

Site design & layout copyright © 1986-2015 CodeGods