English version French version Plan du site Sitemap Site clientLogin
IT Security

>Voice over IP Security

Voice over IP deployement generates new vulnerabilities for the company. Xmco Partners offers Security assessment of VoIP infrastructures.

The main benefits are :

  • QoS optimization: Quality of Service and availability are the main purposes of the phone network.
  • Exhaustiveness : All risks are evaluated, equipements are analyzed as well as the vulnerabilities of the applications (unified messaging, ...).
  • Cost managing : Plan improvement and security of the voice network.
  Contact us to get a services proposal



>VoIP risks

Implementing a service of Telephony over IP introduces new problems inside the companies like quality of service and data confidentiality issues.

New Voice networks are weak against all protocol attacks and realtime constraints.

As instances:

  • "Man-in-the-middle" in order to listen private conversations.
  • "Deny of Service" to block all phones call.
  • Spoofing user ID.
  • Exploiting a software vulnerability (softphone, unified messaging, ...) to bypass network security.
  • Bypassing invoicing in order to get free call.
  • Passive sniffing to capture sensitive informations via DTMF composition (credit card number, mail password, ...)
  • Physics attacks via Power on Ethernet (IEEE 802.3af - PoE).
The following picture describes all evaluated elements during a VoIP assessment by Xmco Partners

Exemple Architechture VoIP

  Contact us



>Our methodology

Find all weakness in the network and VoIP services

Our methodology is based on our high skills on penetration testing and we will bring you the tools to manage security costs.

The main parts are the followings:

  • Confidentiality :
    • Spoof an ID by sending forged messages.
    • Join silently an conversation.
    • Sniffing Voice network: "Man-in-the-middle", "sniffing", "DTMF" composition, decrypt conversations.
  • Availability :
    • Deny of Service by changing "Codec" on the fly.
    • Deny of Service by sending forged messages SIP.
    • Deny of Service by attacking network layer.
  • Integrity :
    • Attack web access from network equipements.
    • System assessment of "Call Manager/IPBX" (private OS, Windows, Linux, Solaris, ...).
    • Testing separation between Voice and Data networks.
    • Testing restriction against incoming connection (Wardialing and rebound).
    • Firewall analysis.
    • Attack on VoIP infrastructure (TFTP/DHCP/DNS).
  • Quality of Service:
    • Testing Voice priority.
    • Testing disaster follow-up and alerts
    • Overload and Burst.
    • Voice spamming.
  • Disaster Recovery Plan :
    • Disaster Recovery Plan analysis.
    • Urgency numbers priority (911,...).
  Contact us



VOIP AUDIT

> Services proposal

+ Architecture consulting

+ VoIP Security Audit

+ Contact an expert

+ Phone : 0033 147 346 861




> Our VoIP security whitepaper

+ VoIP Security Overview - A layered approach




> Our article from "Actu-Secu"

+ VoIP risks (French Only)