Penetration Testing mailing list archives
Re: Seeking Information regarding VoIP security Assessment
From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 14 Oct 2009 13:05:27 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Abhishek Kumar wrote:
Dear list, Can I have some resource materials for VoIP security and its Assessment ?? regards abhi
What do you mean by VoIP security? SIPS/SRTP? VoIP has so very many security issues as to be almost laughable. There are so many VoIP issues that I would not know where to begin -- ranging any where from MiTM (ARP spoofing, capture and replay, etc.) and authentication and authorization, to RTP injection and ... I could go on forever, almost. Bottom line: VoIP, as implemented today, is a clear-text protocol (unless you are tunneling SIP and RTP through IPSec). It has all the equivalent security issues of any clear text protocol, such as FTP (actually, TFTP may be a better comparison). If you should be one of the rare organizations using SIPS/SRTP, there are still a ton of security issues (for example, SRTP setup in the clear). There are also incredible interop issues if you are using SIPS/SRTP. I just finished a 9 month VoIP project. I can assure you that VoIP security is a major nightmare. It is *not* a pretty picture! For a decent introduction to the low hanging fruit of VoIP security, I recommend: http://www.amazon.com/Hacking-VoIP-Protocols-Attacks-Countermeasures/dp/1593271638/ref=sr_1_5?ie=UTF8&s=books&qid=1255539821&sr=1-5 I Hope this helps! Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler () aset com e: Jon.R.Kibler () gmail com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrWBNcACgkQUVxQRc85QlNbXwCgljTbySwlVM88scy4QOsPma3f UnkAn2UKVoPG1/Gv28KZKihA+E5IoCxN =GSEI -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Seeking Information regarding VoIP security Assessment Abhishek Kumar (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment Jon Kibler (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment Nikhil Wagholikar (Oct 15)