I was interviewing a VP of NICE Systems at Spring VON in San Jose; he started telling me about all the wonderful things his off-the-shelf product could do through "voice analytics".

For some bizarre reason, I mapped "voice analytics" to "social engineering" when he started talking about contact centers picking up on competitive offers by word selection—the whole "I have an offer from your competitor". We started freewheeling on what you could do with all that recorded voice data, including identifying attackers through voice analysis and then sharing that profile/voice print among a group of peers—say, you catch someone trying to scam your credit card company. While you've been burned today, you can alert your competitors—who are, in turn, being burned by some other crew. Swap the voice profiles and it's a win-win. He left muttering, "How can I make a profit off of this?"

Radical idea? Not really, we're talking about the same concept that NSA has been accused of Echelon; suck up all the voice, look for key words, ID voices. With the falling cost of hardware and a migration to VoIP, any medium-sized organization can do this—some already are.

Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services Skype, Vonage, etc.  VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Eavesdropping, VoIP Phishing, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. 

We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain.

Did we learn anything from blue boxing? Yes, it’s fun and we get free calls.

Does PSTN convergence ring any bells? The traditional PSTN network nowadays is IP enabled and SIP signaling allows us to place calls over the internet. Previously safe from direct attacks, call control, billing, and lawful interception became prime targets for attacks. My daily work makes me deal with SIP on the server side and having access to a huge playground of devices, I put them to the test. Work includes a open source SIP stack fingerprinting tool as well as targets and exploits to go with them.

People using VoIP usually only care about the obvious features, not the drawbacks that might show up on your phone bill. We need to weed out bugs before they become an administrator’s and user’s nightmare.

I’m hesitant to teach someone how to do something illegal more effectively. As with all disclosure discussions, the more we open people’s eyes, the more they’ll be prepared to defend against it.  At least that’s my hope.

So let’s show the next generation of phishing attempts. What do all banks say on their websites? “We’ll never ask you to enter your information; we’ll always ask you to call us.” Ok, so if I’m going to send out a phishing e-mail that encourages you to call me what do I need?

Let’s start with Asterisk, the open-source PBX platform. It can emulate a professional IVR platform perfectly. Next, I have to have an 800# to be taken seriously. IAX.cc advertises those for 3.9 cents per minute. Done.

Now I need a professional sounding person for my IVR. Pay someone? Nope. Let’s call a bank using Asterisk and record their IVR prompts into WAV files. It takes some time to find the right 800 numbers for the right voice prompts, but that’s the creative part. Put all of the pieces together using Asterisk at Home’s IVR menuing system and we have a professional sounding IVR platform.