Toll-fraud paths tested?

Yes. INVITE replay, REGISTER hijack and SBC bypass attempted. The report shows the captured packet and the DoT OSP clause violated.

Are RTP streams checked for eavesdropping?

Yes. SRTP key reuse, ZRTP downgrade and unencrypted RTP paths reviewed. Each finding cites the DPDP Section 8 control.

TRAI UCC and DLT scrubbing relevant?

Yes for outbound voice — header and content checks reviewed against TRAI UCC rules. Findings cite the TRAI 2018 regulation by section.

WebRTC clients in scope?

Yes. STUN, TURN, ICE and DTLS-SRTP reviewed. Browser-side leaks and IP-disclosure paths flagged.

VoIP penetration testing

Find what a port scan never places.

SIP REGISTER hijacking, RTP eavesdropping, SDP injection, IAX2 brute force, voice-VLAN hopping, Asterisk AMI exposure, and PSTN-trunk toll fraud, tested by hand against your PBX, SBC, and signalling stack. Every finding lands with a recorded call, the replayed media, and the dialplan diff your engineers can ship.

See the VoIP method

Four planes

Signalling · Media · PBX · Edge, one method, four layers of the stack.

Proof of call

Every finding ships with a recorded call, replayed RTP, or a fraudulent toll-out.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why an open port isn't a placed call

An open port is not a placed call.

A scanner reports SIP/5060 listening, AMI reachable, SRTP optional. SecureLayer7's operators take it further, register a phantom extension, hijack the next inbound call, decode the RTP stream, and run a fraudulent toll-out across your PSTN trunk. Every finding ships with the recorded call, the replayed media, and the dialplan or SBC diff your team can deploy.

Two columns. Scanner findings on the left escalate to proven exploits on the right: SIP open to REGISTER hijack, SRTP optional to RTP intercept, AMI reachable to PBX takeover, trunk ACL wide to toll fraud.

IN SCOPE.

What lands in a VoIP engagement.

SIGNALING

SIP + H.323

MEDIA

RTP + SRTP

RTP injection, eavesdropping where SRTP isn't enforced, codec-conversion abuse on media gateways.

INFRASTRUCTURE

PBX + SBC

Default credentials, admin-interface exposure, trunk-side trust, CDR tampering, voicemail PIN brute force.

INTERCONNECT

Carrier trust

Trunk-side abuse, caller-ID spoofing past STIR/SHAKEN gaps, premium-rate fraud paths, peering trust.

What we test ,

Four planes of the call. One engagement.

Each layer gets a manual, threat-modelled review against its real attack surface, signalling, media, infrastructure, and the trunk edge. Intensity tunes per scope.

Signalling, SIP / SDP

REGISTER hijacking, INVITE flooding, BYE/CANCEL race conditions, SDP rewriting, ALG bypass, digest-auth replay, contact-header rewrite, and presence-leak via SUBSCRIBE/NOTIFY.

Media, RTP / SRTP

RTP eavesdropping, ZRTP/SRTP downgrade, DTMF injection, codec confusion, replay across the media stream, comfort-noise abuse, and media-relay bypass.

Infrastructure, PBX core

Asterisk AMI/CLI exposure, FreeSWITCH event-socket misconfiguration, Cisco CUCM AXL credential leak, dialplan logic abuse, voicemail PIN brute force, IVR fingerprinting and option escape.

Edge, SBC + SIP trunk

SBC peering misconfiguration, voice-VLAN hopping, SIP trunk toll fraud, IAX2 brute force, NAT/ALG traversal abuse, peer-spoofed call replays, and geo-routing rule override.

VOIP METHODOLOGY.

Eight phases. Dial plan to media stream.

Threat-modelled to your dial plan, trunk peering, and PBX topology. Not a template we run against every voice network.

Scope & threat-model

Inventory of extensions, trunks, codecs, voicemail, and IVR is agreed before any signalling is touched. In-scope numbers and call windows defined in writing.

Recon & enumeration

SIP scanning (svmap, svwar, svcrack), extension enumeration via REGISTER and INVITE responses, codec offer probing, ALG fingerprinting, IAX2 discovery, exposed AMI or HTTP admin.

Signalling exploitation

REGISTER hijacking, contact-header rewrite, BYE or CANCEL race, INVITE replay across digest auth, SDP rewriting, dialog-ID prediction, ALG bypass. Exercised to call control.

Media exploitation

RTP capture and decode, SRTP or ZRTP downgrade where the offer permits, DTMF injection, codec mismatch leading to garbled-then-replayed audio, comfort-noise abuse.

Infrastructure exploitation

Asterisk AMI privilege escalation, FreeSWITCH event-socket abuse, CUCM AXL credential reuse, dialplan injection, voicemail PIN brute force, IVR option escape.

Toll-fraud & trunk abuse

Outbound toll fraud across the PSTN trunk, premium-rate dialing, peer-spoofed call replays, geo-routing override. Measured to a billed call.

Remediation guidance

Asterisk pjsip.conf snippets, CUCM partition diffs, SBC ACLs, dialplan rewrites, ZRTP-mandatory configurations, AMI or HTTP admin lockdown. Written for voice engineers, not auditors.

Patch verification

Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each call path is closed.

Insights

VoIP security Resources.

SIP/RTP write-ups: registration hijack, billing fraud paths, and the VoIP-side bugs we find in carrier and enterprise PBX gear.

3CX desktop supply-chain compromise infection chain diagram

VoIP

3CX Supply Chain Compromise, technical analysis and PoC

Trojanised VoIP/PBX desktop client shipped to 600,000+ orgs. Infection chain, MITRE techniques, IoCs and remediation steps from the SL7 lab.

Spoofing

Caller-ID spoofing, vishing, and how attackers fake trust

Caller-ID, IP and email spoofing primitives, how SIP and PSTN trust is abused, and the layered defences that actually hold up under a pentest.

Network

Defending against MITM attacks with network segmentation

RTP eavesdropping is a MITM problem first. How proper voice-VLAN segmentation and trust boundaries take the man out of the middle.

Meet our expert

One lead across signaling and media planes.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes VoIP and telecom engagements against your dial plan, trunk peering, and PBX topology. He guides the pod from kick-off through final report and re-test.

Scopes Asterisk, FreeSWITCH, CUCM, and SBC engagements against your real call paths.
Owns kick-off, mid-engagement check-ins, and live walkthrough of every recorded call.
Drives remediation review and re-test until every signalling and media finding is closed.

SL7 Lab. Published CVE research.

Ready to scope a VoIP pentest? Book 30 minutes with John to walk through your dial plan, trunk peering, and timeline.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Retail

Contact-center voice infrastructure, IVR, customer-PII voice paths.

See Retail pentest

Tech SaaS

SaaS-embedded voice (CCaaS), WebRTC SIP gateways, SBC boundaries.

See Tech SaaS pentest

FinTech

Banking IVR, fraud-team voice infrastructure, recording-and-retention chains.

See FinTech pentest

Built for India engagements

What changes when we deliver here.

Compliance scoping
Packet-captured proof of toll-fraud or eavesdropping path
Regulatory framework
TRAI UCC and DoT OSP clauses cited per finding
Local engagements
Indian contact-centre and BPO VoIP audits
Local pricing
INR per-trunk pricing with GST
Compliance scoping
DPDP Section 8 voice-data encryption review

VoIP security questions Indian contact-centres ask.

Toll-fraud paths tested?
Yes. INVITE replay, REGISTER hijack and SBC bypass attempted. The report shows the captured packet and the DoT OSP clause violated.
Are RTP streams checked for eavesdropping?
Yes. SRTP key reuse, ZRTP downgrade and unencrypted RTP paths reviewed. Each finding cites the DPDP Section 8 control.
TRAI UCC and DLT scrubbing relevant?
Yes for outbound voice — header and content checks reviewed against TRAI UCC rules. Findings cite the TRAI 2018 regulation by section.
WebRTC clients in scope?
Yes. STUN, TURN, ICE and DTLS-SRTP reviewed. Browser-side leaks and IP-disclosure paths flagged.

Delivery in India

SIP and SBC review. TRAI UCC-aware.

SIP, RTP, WebRTC and SBC paths tested for toll fraud and eavesdropping. TRAI UCC rules and DoT OSP licence conditions noted per finding.

Direct line: +91-20-71600505
Office: Pune, Maharashtra, India

Frameworks scoped: CERT-In · DPDP Act · RBI CSF · SEBI CSCRF · ISO/IEC 27001 · PCI DSS.

Sample VoIP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working proof-of-call, code-level fix guidance for voice engineers. Sent on request after a 5-minute scoping call.