VoIP Security 101

Ralph DeFrangesco

I am right in the middle of a VoIP audit and thought that I would share some important security-related thoughts with you. Without a doubt, VoIP can save your company money and give your users features that are not available with a PBX.


However, you need to be aware of security issues in case someone like me comes knocking on your door to audit your system. Although I am a nice person, or so I am told, I will be looking for certain documents to include in my audit and if I don't get them, you will definitely get an audit finding against you. So, if you want to avoid explaining in front of an audit committee why you have a finding, pay attention!


  • Is your system documented or are you the only one who knows how it works? Create diagrams that show how the system works so that when you are on vacation sunning yourself on a nice beach somewhere, the person who is covering for you knows how it works as well. New people joining your department would appreciate it also.
  • Do you have a process for adding and deleting users? If a new employee joins the organization, do you get a ticket to create a user ID for them? Do you also get a ticket to remove them from the system?
  • Who has admin rights on your system? As an IT auditor, I would want to see who has the authority to administer your system. I better see separate accounts for everyone who does. In other words, what controls do you have in place?
  • Do you open change-management tickets for changes to the production system? I would pull at least the last three months of changes to see if you are putting in tickets. This tells me that you are getting approvals for changes and that you are communicating changes with business and technology leaders.
  • Are you backing up the systems? Auditing is about being able to prove what you are doing and what controls are in place. I would need to see a crontab entry (if on Unix), backup sheets from operations and logs to know this is being done on a scheduled basis.
  • Is your features list reviewed on a regular basis? Can people still "sit" on a conference call after you hang up? Can employees make long-distance calls after hours?
  • Finally, I would do a vulnerability assessment on your system(s). Can I get to the voice network from the data network? Can I hack an IP phone? Can I capture voice packets and play them back later? Here are some tools that you may consider running against your system:
    • Vomit
    • UCSniff
    • Oreka
    • VoIPPong
    • VoIPer
    • Vnak
    • VoIPHopper
    • RPTINject
    • Sidvicious

*Note: I take no responsibility for your results with these tools.


Many people don't like auditors. I don't know why; they are nice people at heart. However, you don't want to get on the bad side of one. So, follow my advice and you should be fine. Also, buying them a cup of coffee would be helpful.

Add Comment      Leave a comment on this blog post
Apr 13, 2009 2:55 AM Tony Stout Tony Stout  says:

I'm having problems running most of the hacking software you suggested.  Problems compiling on Linux.  Any suggestions?  Wasting valuable time trying to run these!










Apr 13, 2009 3:04 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Tony Stout


I really can't offer any direct advice since I don't know what platform you are trying to complie on, the error messages, and your level of knowledge. I can say that I sucessfully compiled all of the software I listed. I can't turn my back on a fellow IT person, so please feel free to contact me directly at rdefrangesco@gmail.com with the error messages/problems you are having. I think between the two of us we can figure it out.


Apr 13, 2009 5:01 AM Tony Stout Tony Stout  says:

thanks.  running redhat and keep having to put various libraries.  which i knew a good consultant to run these test that isn't afarid of bringing down the voip network.

Apr 13, 2009 7:53 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Tony Stout

Yes, there are numerous libraries that need to be loaded. I don't remember which one of those tools, but one required something along the lines of 6-7 libraries. Of course this depends on which version of RH and what libraries you have loaded. I would not be so concerned about bringing down the network. I ran those tools and did no damage to the NW. However, in all fairness, I was not able to run the tools to their full extent. Of course the best action is to test after hours or on weekends. Please let me know how you make out.


Apr 16, 2009 8:43 AM Tony Stout Tony Stout  says: in response to Ralph DeFrangesco

Okay I was able to run most of this but did bring down the network!  Didn't get fired or anything but the tech guys were not too happy to get up at 2 a.m. to resolve this.  Oh well that is what they get paid for!


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.