Security Basics mailing list archives
Re: VoIP & Security Testing
From: SMiller () unimin com
Date: Fri, 13 Jun 2003 12:45:23 -0400
Have you looked in the Security Focus archives? There are 2 threads (actually 1 broken thread) entitled "Voice over IP applications vulnerabilities/attacks" from early this year. Try: http://www.securityfocus.com/archive/96/2003-01-01/2003-01-07/1 A brief review indicates a host of article cites and other links to information on this topic. Whether any of that relates specifically to your Mitel vs. Cisco decision is an exercise left to the reader... -Scott Miller "Kirsty Still" <kirsty_still@hot To: security-basics () securityfocus com mail.com> cc: Subject: VoIP & Security Testing 06/13/2003 07:40 AM Help! I am testing some Mitel 3300 VoIP hardware and software and spent yesterday scanning the internet (through Yahoo) for any exploits in software revision: 3.3.12.1 and didn't have a lot of luck. As an end user in the corporation with a normal touch tone phone on the desk, (my voicemail box is locked down just to national calls only)....and as a security consultant I not only wanted to see if Mitel's software was buggy/exploitable, but also to see if users can 'break-out' of their accounts and access others to dial internationally or whatever. The reason behind this is, that my company is going to spend a lot of money on this equipment rolling out nationwide. There are the odd few that do have access to international calling (i.e: managers etc) but then occassionally there are a few odd calls to places like Kenya etc (porn lines). This costs the company a lot of money .. therefore if we are to go ahead with Mitel I want to make sure that every security angle is covered on it. My questions are: 1. Using DTMF tones (once logged into your own voicemail box) can you break out of your account and access others? 2. Are there any known Mitel software problems? 3. If you can break out of your account, and the software is linked over the LAN/WAN can a attacker/hacker use wireless etc to his advantage? (we plan on firewalling areas just in case so it can be protected if this does happen). 4. Do you have any other useful info please? I am no phone phreaker and I really can't be bothered to make blue boxes/beige boxes as I think it's not necessary here .. what I am really trying to do is determine these problems, write up a confidentail report and hand it to management (without scaring them!)... so they can make their decsisions between Mitel and CISCO. I am planning on doing the same testing with CISCO products in our LAB too. Kind Regards Kirsty _________________________________________________________________ Express yourself with cool emoticons - download MSN Messenger today! http://www.msn.co.uk/messenger --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- VoIP & Security Testing Kirsty Still (Jun 13)
- <Possible follow-ups>
- Re: VoIP & Security Testing SMiller (Jun 13)