Given that VoIP has been around for more than 10 years, it’s hard to find a business where’s it’s not running in some capacity. I do find it interesting how many network managers aren’t too concerned about the security of VoIP. People say things like “It’s on the inside of the network”, “It’s running on a separate VLAN”, and “We’re PCI and HIPAA compliant but there’s nothing of significance being sent over the wire with VoIP”. Interesting.
Here’s a new story about VoIP hackers getting sentenced to prison – proof, to me, that people out there want your systems, your minutes, your bandwidth and beyond.
There are numerous ways to exploit VoIP from poorly-secured call manager interfaces to network traffic and beyond. For example, Cain & Abel provides a simple way for a malicious insider to turn your Ethernet switches into hubs and capture/playback VoIP traffic. VoIP Hopper can help those where VLAN segmentation gets in their way. I go into VoIP hacking in detail in Chapter 13 of my book Hacking For Dummies, 3rd edition. For further reading check out these pieces that I’ve presented on VoIP security.
However you choose to uncover your vulnerabilities in VoIP, just do something. In the end, if it’s got an on/off switch and an IP address someone’s going to try and manipulate it for ill-gotten gains.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”