Kevin Beaver's Security Blog

Got VoIP? Better make sure it’s secure.

Given that VoIP has been around for more than 10 years, it’s hard to find a business where’s it’s not running in some capacity. I do find it interesting how many network managers aren’t too concerned about the security of VoIP. People say things like “It’s on the inside of the network”, “It’s running on a separate VLAN”, and “We’re PCI and HIPAA compliant but there’s nothing of significance being sent over the wire with VoIP”. Interesting.

Here’s a new story about VoIP hackers getting sentenced to prison – proof, to me, that people out there want your systems, your minutes, your bandwidth and beyond.

There are numerous ways to exploit VoIP from poorly-secured call manager interfaces to network traffic and beyond. For example, Cain & Abel provides a simple way for a malicious insider to turn your Ethernet switches into hubs and capture/playback VoIP traffic. VoIP Hopper can help those where VLAN segmentation gets in their way. I go into VoIP hacking in detail in Chapter 13 of my book Hacking For Dummies, 3rd edition. For further reading check out these pieces that I’ve presented on VoIP security.

However you choose to uncover your vulnerabilities in VoIP, just do something. In the end, if it’s got an on/off switch and an IP address someone’s going to try and manipulate it for ill-gotten gains.