New VoIP 'wardialing' security tool has uses beyond hacking

Released this week, the WarVOX suite of security tools is designed to simplify penetration testing and simulate hacking attacks against phone systems, however, it also has applications beyond security testing.

WarVOX is designed to explore, classify and audit a range of telephone systems, including modems, faxes, voicemail boxes, PBXs, loops, dial tones, IVRs and forwarders. IT/phone/security types can put WarVOX to work in conducting security audits, but it could also prove useful in terms of service assurance and configuration testing.

Requiring no phone hardware, WarVOX is "massively scalable" by using Internet-based VoIP providers. A single instance of the software on a residential broadband connect can scan over 1,000 number per hour; using two providers with 40 concurrent lines, Testers have been able to scan entire 10,000 prefixes within three hours.

Since WarVOX archives data once it is collected, it can be re-analyzed as new signatures, plug-ins and tools are developed, so the application could also be tuned and used for weekly service assurance on dial tones, voice mail boxes, and the like, as well as the identification of numbers that are in-use but should be turned off (i.e. a branch office is downsizing or shut down, we need to get the phone company to pull the plug). The auditing function would also be useful to provide a sanity check on phone bills and records on what is actually operational as compared to what people think is operational.

One other attraction might be the cost: scanning 10,000 numbers in three hours costs around $45 in VoIP fees if you get around a 45 percent pick up of the phone, according to the author.

For more:
- ZDNet.com blog
- Learn more at WarVOX.org

Related articles
VoIP security firms stand to gain from SIP deployments - FierceVoIP
SPOTLIGHT: UCSniff VoIP security tool officially unveiled - FierceVoIP