Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)


Voice over IP (VoIP) is now the predominant technology for enabling people to communicate, and represents the majority of systems and devices in enterprises. VoIP is also heavily used by both service providers and consumers. Because VoIP is such as broad area, this book primarily focuses on the security issues present for enterprise systems. However, many of threats, attacks, and countermeasures are relevant in other environments as well.

The term VoIP is being replaced with unified communications (UC), which covers additional forms of real-time communications, including video, messaging, presence, and social networking. Although voice remains the predominant form of real-time communications within UC (and that is where we will focus), these other forms of communication are definitely gaining traction within the enterprise, and all of the major VoIP vendors offer these additional capabilities.

In terms of threats, UC has made many attacks easier. Attackers target VoIP and UC for the same reasons they attacked legacy voice—to steal service, to harass and disrupt, to sell unwanted products and services, to steal money and information, and to eavesdrop on conversations. UC has certainly introduced new vulnerabilities, but more importantly, it has made attacks much easier, cheaper, and available to more people. Two examples are robocalls and telephony denial of service (TDoS). In the old days, if you wanted to flood an enterprise with annoying sales or purely disruptive calls, you needed expensive, complex systems and a lot of “know-how.” Now it is cheap, easy, and safe for just about anyone to execute these attacks.

UC encompasses many distinct pieces of hardware, software, and protocols, including the IP PBX, trunking, gateways, hardphones, softphones, messaging clients, Interactive Voice Response (IVR) units, and call distribution systems. These systems run on top of a variety of operating systems. They use a long list of protocols, including RTP, SIP, H.323, MGCP, and SCCP. All of these systems and protocols depend on the underlying IP network as well as supporting services such as DNS, TFTP, DHCP, VPNs, VLANs, and so on.

The Session Initiation Protocol (SIP) has become the de facto standard for UC signaling. It is exclusively used for external trunking and communications between major system components as well as to endpoints, including handsets, video systems, softphones, and messaging clients. Most of the deployed SIP does not use encryption and authentication and therefore is vulnerable to exploitation using a wide variety of existing attack tools.

There is no one solution for solving current and emerging UC and VoIP security problems. Rather, a well-planned defense-in-depth approach that extends your current security policy is your best bet to mitigate the threats covered in this book.

Why This Book?

This book is written in the tradition of the Hacking Exposed™ series. Many potential UC security threats and attack algorithms described here are little known and were fine-tuned as the book was written. Even for those who read the first edition, you will find eight entirely new chapters, with the other nine updated with new tools, techniques, and results. A major focus of this book is on application security issues, which are those that target “voice” and can occur on any type of voice, VoIP, or UC network. These attacks all have a financial or disruption incentive behind them and represent those that enterprises are really experiencing on a day-to-day basis. This information was drawn from working with hundreds of enterprise customers. Also, most of these attacks originate from the untrusted voice network, so they are generally safe and anonymous to execute. Why spend time securing an obscure vulnerability when you leave a gaping hole that an attacker could exploit in your enterprise for hundreds of thousands of dollars?

The book also covers many attacks that can be executed inside a UC network. To demonstrate these attacks, we set up a robust lab consisting of commercial and open-source IP PBXs and as many devices as we could get our hands on. We demonstrate the issues on a wide variety of network equipment and underlying protocols, for both Cisco (the market leader in networking and UC) and SIP-enabled systems.

Who Should Read This Book

Anyone who has an interest in UC and VoIP security should read this book. The material in the book is especially relevant to enterprise IT staff responsible for designing, deploying, or securing enterprise UC systems. IT staff responsible for voice contact centers will also greatly benefit from reading this book, because some of the attacks are unique and/or particularly disruptive for this part of the enterprise.

The information in the book is also applicable to service providers and consumers.

How Is This Book Organized?

This book is split into four completely different parts. Each part can be read on its own, so if you are only interested in the issues described in a certain section of the book, you may consult only that part.

Part I: Casing the Establishment

The first part of the book provides an overview of the major threats as well as describes how an attacker would first scan the network, pick up specific targets, and enumerate them with great precision in order to proceed with actual attacks. Good preparation and planning are part of any successful attack.

Chapter 1: VoIP Targets, Threats, and Components

We begin the book with a description of what the primary threats are and how they affect enterprise networks. We cover how high-level trends affect UC security, including use of UC within the enterprise network, SIP trunking, the evolution of the public voice network (PVN), and hosted/cloud–based deployments (where the IP PBX and applications are in the public cloud).

Chapter 2: Footprinting a UC Network

In this chapter we describe how an attacker first profiles the target organization by performing passive reconnaissance using tools such as Google, DNS, and Whois records, as well as the target’s own website. We also cover how an attacker gathers information such as enterprise phone numbers.

Chapter 3: Scanning a UC Network

A logical continuation of the previous chapter, this chapter provides a review of various remote scanning techniques in order to identify potentially active UC devices on the network. We cover the traditional UDP, TCP, SNMP, and ICMP scanning techniques as applied to VoIP devices. We also use tools such as Warvox to scan the numbers found in Chapter 2.

Chapter 4: Enumerating a UC Network

This chapter provides a brief introduction to SIP and RTP. Then we cover active methods of enumeration of various standalone UC devices, from softphones, hardphones, proxies, and other general SIP-enabled devices. Plenty of examples are provided, along with a demonstration of several tools used to scan for SIP endpoints. We also cover enumeration needed for application-level attacks.

Part II: Application Attacks

In this part of the book, we cover the primary attacks affecting enterprises, many of which are not new. However, UC and VoIP have made these attacks much more common and disruptive. These attacks primarily originate from the untrusted public voice network (PVN), so they can be safely and anonymously launched from pretty much anywhere.

Chapter 5: Toll Fraud and Service Abuse

In this chapter, we cover toll fraud and other forms of service abuse, where the attacker is abusing the long-distance and international calling capabilities of the enterprise. We cover a number of ways that UC has made these attacks even more of an issue than they were in the past. Toll fraud continues to be the most (or at least one of the most) expensive types of attacks for enterprises.

Chapter 6: Calling Number Spoofing

Here we cover how easy it is now to spoof the calling number (or caller ID). This not only enables attacks, but also makes most of the inbound-call-based attacks that much more effective, because the attacker can be anonymous, pretend to be a legitimate user, or just use random numbers to make a flood of calls more difficult to deal with.

Chapter 7: Harassing Calls and Telephony Denial of Service (TDoS)

In this chapter we cover harassing calls, which are more of an issue due to the ability to spoof the calling number. We also cover telephony denial of service (TDoS), which involves a flood of calls designed to disrupt the operations of the target. TDoS is much easier and common than in the past, due to the availability of free IP PBX software, call-generation software, and cheap SIP trunks. We also cover a related issue known as call pumping, which can look like TDoS but is actually fraud.

Chapter 8: Voice SPAM

In this chapter we cover voice SPAM, sometimes associated with “robocalls,” which refer to bulk, automatically generated, unsolicited calls. Voice SPAM is like telemarketing on steroids. You can expect voice SPAM to occur with a frequency similar to email SPAM.

Chapter 9: Voice Social Engineering and Voice Phishing

Voice social engineering and voice phishing involve an attacker who manually tricks an enterprise user into giving up information or calling a fake IVR and leaving information. The goal of both is to get sensitive data from the user, such as financial account information, which can be used later to steal funds from the victim.

Part III: Exploiting the UC Network

This part of the book is focused on exploiting the supporting network infrastructure on which your UC applications depend. We begin with typical eavesdropping, man-in-the-middle (MITM) attacks, and network denial of service. We also cover these attacks for a specific vendor system—namely, Cisco, who is the market leader for networking and UC.

Chapter 10: UC Network Eavesdropping

This chapter is focused on the types of UC privacy attacks an attacker can perform with the appropriate network access to sniff traffic. Techniques such as number harvesting, call pattern tracking, TFTP file snooping, and actual conversation eavesdropping are covered.

Chapter 11: UC Interception and Modification

The methods described in this chapter detail how to perform man-in-the-middle attacks in order to intercept and alter an active UC session and conversation. We demonstrate some man-in-the-middle methods of ARP poisoning and present a tool called sip_rogue that can sit between two calling parties and monitor or alter their session and conversation.

Chapter 12: UC Network Infrastructure Denial of Service (DoS)

In this chapter, we introduce quality of service and how to objectively measure the quality of a VoIP conversation on the network using various free and commercial tools. Next, we discuss various flooding and denial of service attacks on UC devices and supporting services such as DNS and DHCP.

Chapter 13: Cisco Unified Communications Manager

This chapter covers how the issues identified in the three previous chapters can be exploited on a specific vendor system. We focus on the Cisco Unified Communications Manager (CUCM) because Cisco is the market leader for both enterprise networking and UC. We also cover many of the industry-leading security features that Cisco has available.

Part VI: UC Session and Application Hacking

In this part of the book, we shift our attention from attacking the application and network, by attacking the signaling protocol. The fine art of protocol exploitation can hand intruders full control over the UC application traffic without any direct access and reconfiguration of the hosts or phones deployed.

Chapter 14: Fuzzing, Flooding, and Disruption of Service

The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. In this chapter, we demonstrate some tools and techniques for fuzzing your UC applications. We also cover additional attacks that disrupt SIP proxies and phones by flooding them with various types of VoIP protocol and session-specific messages. These types of attacks partially or totally disrupt service for a SIP proxy or phone while the attack is under way.

Chapter 15: Signaling Manipulation

In this chapter, we cover other attacks in which an attacker manipulates SIP signaling to hijack, terminate, or otherwise manipulate calls. We cover a number of SIP-based tools to demonstrate these attacks. As with other attacks we have covered, these attacks are simple to execute and are quite lethal.

Chapter 16: Audio and Video Manipulation

The attacks covered in this chapter go directly after the UC content, for both voice and video. These attacks involve manipulation of the Real-Time Protocol (RTP), which is used in virtually every UC environment. Therefore, these attacks are relevant to virtually any UC system. We also cover RTP stenography.

Chapter 17: Emerging Technologies

In the last chapter of this book, we cover a number of emerging trends that will have an impact on enterprise UC security. We cover Microsoft Lync, Over-The-Top (OTT) UC services, mobility and smartphones, other forms of communications (text messaging, instant messaging, video, social networking), the move to the public cloud, and, finally, WebRTC.

The Basic Building Blocks: Attacks and Countermeasures

As with Hacking Exposed™, the basic building blocks of this book are the attacks and countermeasures discussed in each chapter. The attacks are highlighted here as they are throughout the Hacking Exposed™ series.

Image This Is an Attack Icon

Each attack is accompanied by an updated Risk Rating derived from three components based on the authors’ combined experience.


Highlighting attacks like this makes it easy to identify specific penetration-testing tools and methodologies and points you right to the information you need to convince management to fund your new security initiative.

We have also followed the Hacking Exposed™ line when it comes to countermeasures, which follow each attack or series of related attacks. The countermeasure icon remains the same.

Image This Is a Countermeasure Icon

Where appropriate, we have tried to provide different types of attack countermeasures for various UC and VoIP platforms. Such countermeasures can be full (upgrading the vulnerable software or using a more secure network protocol) or temporary (reconfiguring the device to shut down the vulnerable service, option, or protocol). We always recommend that you follow the full countermeasure solution; however, we do recognize that due to some restrictions, this may not be possible every time. In such a situation, both temporary and incomplete countermeasures are better than nothing. An incomplete countermeasure is a safeguard that only slows down the attacker and can be bypassed (for example, monitoring call records to look for toll fraud). You really need a solution that mitigates the issue in real time.

Other Visual Aids

We’ve also made prolific use of the following visually enhanced icons to highlight those nagging little details that often get overlooked:


Online Resources and Tools

Image You can find online information related to the book at It contains the collection of new tools and resources mentioned in the book and not available anywhere else. As to the remaining utilities covered in the book, each one of them has an annotated URL directing you to its home site. In case future support of a utility is stopped by the maintainer, we will make the latest copy available, so you won’t encounter a description of a nonexistent tool in the book. We also plan to post any relevant future observations and ideas at this website and accompanying blog.

A Final Message to Our Readers

UC security is important in two primary ways. First, UC has made most all of the long-standing voice attacks much easier to execute. Because of this, we are seeing more and more of these attacks and they are becoming much more disruptive to enterprises. Second, due to its complexity in terms of numerous devices, applications, software, and protocols, as well as its dependence on the underlying network infrastructure, UC has both inherited issues found in the IP network and introduced new vulnerabilities of its own. We hope this book will educate you on these issues and assist you in mitigating them within your enterprise UC network.