Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

VoIP & Security Testing

From: "Kirsty Still" <kirsty_still () hotmail com>
Date: Fri, 13 Jun 2003 11:40:24 +0000
Help! I am testing some Mitel 3300 VoIP hardware and software and spent yesterday scanning the internet (through Yahoo) for any exploits in software revision: 3.3.12.1 and didn't have a lot of luck. As an end user in the corporation with a normal touch tone phone on the desk, (my voicemail box is locked down just to national calls only)....and as a security consultant I not only wanted to see if Mitel's software was buggy/exploitable, but also to see if users can 'break-out' of their accounts and access others to dial internationally or whatever.
The reason behind this is, that my company is going to spend a lot of money on this equipment rolling out nationwide. There are the odd few that do have access to international calling (i.e: managers etc) but then occassionally there are a few odd calls to places like Kenya etc (porn lines). This costs the company a lot of money .. therefore if we are to go ahead with Mitel I want to make sure that every security angle is covered on it. 

My questions are:
1. Using DTMF tones (once logged into your own voicemail box) can you break out of your account and access others? 
2. Are there any known Mitel software problems?
3. If you can break out of your account, and the software is linked over the LAN/WAN can a attacker/hacker use wireless etc to his advantage? (we plan on firewalling areas just in case so it can be protected if this does happen). 
4. Do you have any other useful info please?
I am no phone phreaker and I really can't be bothered to make blue boxes/beige boxes as I think it's not necessary here .. what I am really trying to do is determine these problems, write up a confidentail report and hand it to management (without scaring them!)... so they can make their decsisions between Mitel and CISCO. I am planning on doing the same testing with CISCO products in our LAB too. 


Kind Regards
Kirsty

_________________________________________________________________
Express yourself with cool emoticons - download MSN Messenger today! http://www.msn.co.uk/messenger 


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in 
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: