Category Archives: VoIP Security Tools

VoIP Hopper 0.9.9 released with improved VLAN hopping

Blue Box listener Frank Leonhardt clued us in to the fact that VoIP Hopper 0.9.9 was released back on February 19th. VoIP Hopper is a tool that allows you to “hop” between the data a voice VLANs (or any other VLANs) that was written primarily because the authors were tired of hearing people say that VLANs were a true security mechanism (Hint: They’re NOT!). We’ve written about it before and talked about on a Blue Box episode and a Telcom Junkies show and it is indeed an interesting test tool. Per the release notice, this version 0.9.9 has these new features:

  • CDP Generator! VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet. Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
  • Voice VLAN Interface Delete: VoIP Hopper can delete the created Voice

  • MAC Address Spoof, then exit: VoIP Hopper can change the MAC Address of
    an interface offline and exit, without VLAN Hopping.

You can visit the VoIP Hopper site to learn more.

Technorati Tags:
, , , , ,

SIPTap Author forms VoIP Security Company

Some of you may remember Peter Cox who put out an eavesdropping tool SIPTap last November.

For those who have a short memory, SIPTap monitors “multiple voice-over-IP call streams, listening in and recording them for remote inspection as .wav files.”

At the time, however, the tool didn’t appear to me to be much of a threat because it only worked on the VLAN it was attached to and only if it saw the traffic. Meaning that if you weren’t attached to a span port, a hub or used another tool such as Ettercap, you wouldn’t be able to do much recording.

BUT the tool served Peter Cox’s purpose. Apparently for some time now, Peter Cox has been preaching VoIP security to anyone who will listen… and if he’s like most IA people I know, anyone who doesn’t want to listen, but needs to. The tool, therefore, appeared to be aimed at educating people outside the IA world about the importance of VoIP security and how easy it is to eavesdrop on calls.

Now Peter Cox has started a new company UM Labs where his goal is to develop and deliver products that provide VoIP security in a world where the traditional security foundation of voice and data separation no longer apply.

They are already announcing three products described on the company’s website and here

New VoIP security products are always welcome and UM Labs appears to be looking towards the future to find ways to meet some of the upcoming security challenges of unified networks.

“Hacking and Attacking VoIP Systems” – Slides from my Astricon 2007 presentation about Asterisk and VoIP security

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
, , , , , ,

Blue Box #69: Linksys SPA-941 vulnerability, SIP DDoS, New release of SIPVicious, Asterisk security roadmap, other VoIP security news, listener comments and more

Blue Box Podcast #69 is now available for download. In this 46-minute episode, Jonathan and I discuss the Linksys SPA-941 vulnerability mentioned in the VOIPSEC list, a potential SIP DDoS, a new release of SIPVicious, a suggested Asterisk security roadmap, other VoIP security news, listener comments and more.

VoiceCon: Dave Endler & Mark Collier’s "IP Telephony Security Threats and Countermeasures"


Today here at VoiceCon in San Francisco, Dave Endler and Mark Collier (both of whom are involved with VOIPSA) gave a 3-hour tutorial on “IP Telephony Security Threats and Countermeasures”.  For those who have read Dave and Mark’s “Hacking Exposed: VoIP” book, the tutorial followed the overall flow of the book.  They began with Dave talking about gathering information about a target, using scanning, enumeration, Google-hacking, etc.  Dave continued with talking about attacking the network through DoS, eavesdropping and then network interception – and the appropriate countermeasures to defend against the attacks.  After the break, Mark went into attacks against Avaya systems and appropriate countermeasures.  Dave followed with a similar section on attacks and countermeasures for Cisco systems.  Mark came back to talk about attacks against applications, fuzzing and ultimately social attacks such as SPIT and voice phishing.  Mark also spent a good amount of time talking about the various tools they developed as part of the book. Mark noted that they have updated the tools available on and will be making more updates in the coming months.

In his section on attacking Avaya systems, Mark Collier stressed a point we’ve made here on this blog:

“It’s great to have encryption enabled for signaling and voice and to buy phones that support it.  Encryption is great and I highly recommend it.  But if you don’t disable telnet or change default passwords, all that secure encryption really isn’t worth much.”


All in all a great session for folks looking for an introduction to VoIP security attacks and appropriate countermeasures.

BlackHat/DEFCON VoIP Security Tools Update

There were a number of new tools released at the recent BlackHat and DEFCON conferences that I’ve just finished adding to the VoIPSA Security Tools List.

First, during the BlackHat Voice Services Security track, Himanshu Dwivedi & Zane Lackey spoke about attacks against H.323 and IAX. They released a number of tools including H225regreject, IAXHangup, IAXAuthJack, and IAX.Brute. Now you can easily launch many of the same attacks (as well as a few new ones) that you’ve known and loved from attacking SIP against both H.323 and IAX.

Next, Zane Lackey & Alex Garbutt debuted their RTPInject tool during the BlackHat turbo-talk track. It’s essentially a nice, pretty, easy to use GUI version of the RTP audio injection attack that I demoed last year at EUSecWest using the rtpinsertsound and rtpmixsound tools.

At DEFCON, Ian G. Harris released a tool called INTERSTATE which is a stateful protocol fuzzer for SIP.

Finally, I released my new RTP steganography tool, SteganRTP, at DEFCON. It uses steganographic data embedding techniques to create a covert channel in an RTP session’s audio payloads which it uses to transport it’s own custom communications protocol. The protocol provides user chat, file transfer, and remote shell access (if enabled).

All of the tools mentioned above can be found via the VoIPSA Security Tools List.

Blue Box #54 – new VoIP security tools list, teleworker FUD, Phil Zimmermann, ETel feedback, SPIT, IETF

Blue Box Podcast #54 was posted about a week ago but with travel I didn’t cross-post it here… in this show, Jonathan and I talked a good bit about the new VoIP security tools list released by VOIPSA, the IETF meeting in Prague, Phil Zimmerman and ZRT, SPIT, the ETel conference and also talked a good bit about some articles circulating around about “how VoIP shouldn’t be used for teleworkers because of security”. Detailed show notes and links are available over on the Blue Box website.

VOIPSA Releases its VoIP Security Tools List

I’m pleased to announce the public release of VOIPSA’s VoIP Security Tool List. The list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. The list is separated into the following seven broad categories:

  • VoIP Sniffing Tools
  • VoIP Scanning and Enumeration Tools
  • VoIP Packet Creation and Flooding Tools
  • VoIP Fuzzing Tools
  • VoIP Signaling Manipulation Tools
  • VoIP Media Manipulation Tools
  • Miscellaneous Tools

Special thanks to VOIPSA members Shawn Merdinger and Dustin Trammell who created the list and have graciously agreed to maintain it. For more information about the tools list, you can listen to Dan York and Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn Merdinger in Blue Box Special Edition #16 available at

Combatting Voice SPAM with VoIP SEAL

One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).

Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.

To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how ‘dangerous’ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.

An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the ‘suspiciousness level’ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and can’t get through.

In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.

If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.

Voice SPAM – the Fightback Begins

Voice SPAM is increasingly a problem, as the cost of making calls gets lower and lower in real terms.  I was interested to see that GrandCentral are taking steps to block Voice SPAM for their customers.  If you haven’t come across GrandCentral yet, they have an interesting product offering that alows you to have one telephone number from them, and have a single voicemail system and the ability to have inbound calls follow you to whatever fixed or mobile devices you are using at any moment.  They also have a lot of advanced features like color ringback (CRBT), call screening, and control via a web interface. 

We’ve talked here before about caller ID spoofing, i.e. that using various services you can lie about your source telephone number.  GrandCentral say on their blog that they know the caller’s number even if the caller ID is not displayed: I presume this means they’re using some good, old-fashioned SS7 signalling technology (rather than IP and SIP).  It will be interesting to see if a blacklisting approach works in the long term, since in the future spammers using VoIP technology to initiate SPAM will not be connected directly to today’s digital telephone networks, but instead will be using some kind of gateway to cross from VoIP to traditional networks.  Presumably once such a VoIP gateway gets blacklisted, the spammers will simply move to the next gateway with a change of IP address.