Hacking VoIP: Protocols, Attacks, and Countermeasures
Author: Himanshu Dwivedi
Publisher: No Starch Press
Voice over Internet Protocol (VoIP) has given us an affordable alternative to telecommunications providers that were charging us a small fortune for telephone calls, especially those made to international destinations. The average user will point out call quality as an the only possible problem in an VoIP environment, but there are numerous security issues affecting this technology and author Himanshu Dwivedi is here to dissect them for you.
About the author
Himanshu Dwivedi is a security expert and researcher. He has published four books, “Hacking Exposed: Web 2.0”, “Securing Storage”, “Hacker’s Challenge 3” and “Implementing SSH”. A founder of iSEC Partners, Himanshu manages iSEC’s product development and engineering, specialized security solutions, and the creation of security testing tools for customers.
Inside the book
The popular Hacking Exposed series covered VoIP security in one of their 2006 book releases. With the advantages made in this arena, it was nice to see No Starch Press going for the same topic late last year. As you could see from the author blurb, Mr. Dwivedi co-authored some of the McGraw-Hill hacking titles and this time he takes on VoIP hacking all by himself.
The book we are featuring today is focused on discussing the major security aspects of VoIP networks – devices, software implementations and protocols. While there is a short introduction into the world of VoIP security, it is assumed that the readers are familiar with the basics of this technology, especially signaling and media protocols. In some of the chapters you will come across information of value for users of PC based VoIP implementations, but the main focus is on enterprise deployments.
As the book is full of in depth technical aspects of providing the reader with actual manifestations of VoIP security issues, I would suggest you try to follow the authors “lab setup” that he provides early into the book. He wrote down some notes on setting up a test computer with the appropriate SIP/IAX/H.323 clients and server, together with creating an attacker’s workstation based on BackTrack Live CD.
If you are familiar with VoIP protocols, you will be eager to see what are the things you can do better to step up the security situation in your corporate network. The author shares some quality insides about the H.323 attacks, RTP security, as well as issues with IAX.
The second part of the book tends to cover the most interesting topics – those in where the author shows actual hacking and mangling with different threat scenarios. Over about 80 pages he provides practical advice on what can get wrong and how someone can compromise the state of your VoIP security. He often uses Massimiliano Montoro’s popular tool Cain & Abel to show what kind of data can be intercepted and read through your network. I particularly liked the examples on caller ID spoofing, as well as a notion of VoIP phishing that I still didn’t see in real life.
In the last two important chapters, author briefly walks through methods of securing VoIP installations and provides a perfect closing with “VoIP Security Audit Program version 1.0” – a testing methodology written by himself. This valuable collection of data covers the most important audit topics, accompanied with questions and feedback results.
“Hacking VoIP” is a practical guide for evaluating and testing VoIP implementation in your enterprise. I liked the concept where the author focused just on “upper scale” deployments, making the book perfect for the system administrators that are getting deeper into the world of securing VoIP.