Penetration testing for VoIP

Abstract

Thanks to its economic advantages and flexibility, VoIP technology is spreading dramatically in recent years. This increase is happening much faster, especially due to the recent COVID-19 restrictions. However, the rapid spread also brings along some security threats. So, it is inevitable to take security measures specific to VoIP technology. These security measures specific to VoIP systems and devices will increase the benefit in terms of cost and performance. In this context, penetration tests to determine the required security measures should also be made specific to VoIP. In this paper, we proposed a penetration testing strategy for VoIP which ensure and analyzes the VoIP vulnerabilities. Furthermore, it provides an aspect of view on VoIP security precautions for VoIP administrators. This strategy provides proactivity to VoIP administrators before a possible attack. In our future studies, we aim to analyze them by implementing in a test environment.

Keywords

• Attack models
• Penetration Test
• VoIP
• VoIP Security

References

1. [1] Hallock J.A. Brief history of VoIP. Evolution and Trends in Digital Media Technologies, 2004. http://www.joehallock.com/edu/pdfs/Hallock_J_VoIP_Past.pdf.
2. [2] Bell, P. (2019). No Lifeline for Wireline: Fixed Voice Continues to Fall. https://blog.telegeography.com/no-lifeline-for-wireline.
3. [3] Coulibaly, E., Liu,L. Security of VoIP networks. In: 2nd International Conference on Computer Engineering and Technology (ICCET) 2010, pp. 104-108. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5485790
4. [4] Thermos,P., Takanen, A., Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures. Boston, USA. Adison-Wesley, 2007.
5. [5] Porter, T. Threats to VoIP Communications Systems'. Syngress Force Emerging Threat Analysis. 2006, pp. 3-25.
6. [6] Mirjalili, M., Nowroozi, A., & Alidoosti, M. A survey on web penetration test. Advances in Computer Science: An International Journal, 3(6), No.12, November 2014, pp. 107-121
7. [7] Samant, N. Automated penetration testing. PhD, San Jose State University, United States, 2011.
8. [8] Bhatt, P., Yano, E., & Gustavsson, P. Towards a framework to detect multi-stage advanced persistent threats attacks. 2014 IEEE 8th international symposium on service oriented system engineering. IEEE, 2014.

9. [9] Guerrero-Saade, J.A., Raiu, C., Moore, D., & Rid, T. Technical Report. Penquin’s moonlit maze: The Dawn of Nation-State Digital Espionage. Kaspersky Lab. 2017.
10. [10] Deibert, R. J., Rohozinski, R, Manchanda, A, Villeneuve, N., & Walton, G. Tracking ghostnet: Investigating a cyber espionage network. 2009.
11. [11] McClure, S., Gupta, S., Dooley, C., Zaytsev, V., & Chen, X.B., Kaspersky, K., Spohn, M., Permeh, R., 2010. Protecting your critical assets-lessons learned from operation aurora. Technical Report, 2010.
12. [12] Accessed: 2020-12-29, https://msrc-blog.microsoft.com/2019/08/05/corporate-iot- a- path- to- intrusion/.
13. [13] Alshamrani, A., Myneni, S., Chowdhary, A., & Huang, D. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Commun. Surveys and Tutorials, 2019: 21(2), 1851–1877. doi: 10.1109/COMST.2019.2891891.
14. [14] Chen, P., Desmet, L., & Huygens, C. A. study on advanced persistent threats. IFIP International Conference on Communications and Multimedia Security. 2014, Springer, pp. 63–72.
15. [15] McWhorter, D. Mandiant exposes APT1 - One of China’s cyber espionage units & releases 3,000 indicators. Mandiant February 18, 2013.
16. [16] Ussath, M., Jaeger, D., Cheng, F., & Meinel, C. Advanced persistent threats: Behind the scenes. Annual Conference on Information Science and Systems (CISS). 2016, IEEE, pp. 181–186.
17. [17] VoIP Penetration Testing. (2019, November 8). Essential Infosec Private Limited. https://www.essentialinfosec.com/services/voip-penetration-testing/
18. [18] R. Pepper. The History of VoIP and Internet Telephones. https://getvoip.com/blog/2014/01/27/history-of-voip-and-internet-telephones/, 2014.
19. [19] Vice. How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet. https://www.vice.com/en/article/8q8dab/15-million-connected-cameras-ddos-botnet-brian-krebs 2016.