Phone systems have been hacked for generations. For example, in the 1950s and 60s, phone “phreaks” knew how to listen in on early conference calls and would publish this information in newsletters. Today, voice over internet protocol (VoIP) technology presents a new opportunity for criminals to listen in, which is why it’s critical for businesses to employ the correct security measures for their communications systems.
There are usually telltale signs of a VoIP hack, but what are the vulnerabilities that you should be looking out for in your unified communications or business VoIP calling systems?
Frequently Asked Questions about VoIP Security
You must keep your business VoIP connections secure to protect your business’s critical information and to keep calls clear. Before we get into VoIP security issues, let’s address a few common questions about keeping your business communications line secure.
Why is VoIP Security Important?
Voice over IP connections are done over your IP address, so any holes in your VoIP security will be holes in your network security. With lax VoIP security, cybercriminals eavesdrop on your phone calls and have an “in” to your voice networks, which is a disastrous outcome.
Is a VoIP Phone Service More Secure than a PSTN Line?
This depends. Even with analog PSTN wiring, criminals tap into lines via the wires using physical access and eavesdrop into your conversations. With VoIP, if you take the right steps such as encryption and using dedicated networks as VoIP backbones, then there are very few ways for hackers to breach your security.
Do More Ports Make a Phone System More Vulnerable?
This depends on the security measures in place on the ports. More ports mean that you have to employ more VoIP security measures when protecting your VoIP system. For this reason, your team needs to use the minimum number of ports so that there are fewer entry points into your VoIP network to protect. It’s also essential to plan implementation before you install any new VoIP infrastructure.
Security Risks to Look Out For
IP desk phones, softphones, and smart devices all present potential vulnerabilities for VoIP. Here are a few potential threats to your business communications as well as a few ways to prevent them from damaging your business.
1. Internet Bound Traffic
A VoIP phone system uses internet telephony to send information. VoIP traffic that goes over these lines is automatically less secure, and packet loss easily occurs due to packet sniffers that are looking to steal information.
To help make your internet lines more secure, use a reliable SMB VPN option or a virtual private network to send information. This takes some time to set up and get running, but it ensures that information is secure.
2. VoIP Network Firewalls
Software and hardware firewalls are designed to give your system protection, but firewalls are limited when it comes to VoIP. Old firewalls won’t recognize VoIP services, so the firewall incorrectly blocks VoIP protocols from your system. A modern security firewall scans information to make sure that it is secure, but an older model makes the process much longer than it needs to be.
Get a firewall that works with VoIP phones, and run performance tests to make sure that the IPs handle running the firewall without causing performance issues. An up-to-date firewall scans information without causing packet loss and slowdown.
3. DDoS Attacks
A DDoS attack or a distributed denial-of-service attack is when the attackers use up all of the bandwidth in a data network and leave it vulnerable. It’s important to understand what is SIP trunking and how it can be slowed down, SMS messages delayed, and calls dropped in a VoIP system. With a compromised network, the system’s admin controls are accessed remotely by the attacker. Even if the system is not taken over, the additional traffic makes it unusable.
VoIP-based communications and IP have the same weaknesses as DDoS, so this kind of attack isn’t something that you should ignore. It’s a good idea to separate your data and voice traffic so that a DDoS attack on your general system won’t necessarily affect business communications. This is done via encryption or by the use of a VPN to parse out the various aspects of your internet.
To keep the two connections entirely separate, using a dedicated internet connection just for VoIP is something to consider. Also, use a VLAN, which is a virtual LAN that is specifically provisioned for VoIP traffic. This makes it easier to determine if any unauthorized data flows are happening. For VoIP users sharing across a wide area network (WAN), managed encryption is the best way to ensure safety from DDoS.
4. Call Tampering
Some consider call tampering to be a mere annoyance, but when a hacker is explicitly trying to ruin your VoIP calls that have important information, the results are often disastrous. Call tampering is an attack where the hacker is actively trying to degrade the clarity of your calls. They send data packets along the same path that you’re using for calls, which causes packet loss. This means that the audio signal will be disrupted with delays or static at best or long periods of silence at worst.
Unencrypted voice streams are far easier to tamper with, so using authentication and data encryption are critical to keeping hackers out of your calls. On-premise practices also help reduce the incidence of tampering. Devices like IP phones should be shielded from this type of tampering, and they should feature authorization codes during off-hours. Combining technologies like Blockchain and VoIP adds session initiation protocol authentication that prevents call tampering.
5. Malware and Viruses
By now, you must have noticed that the majority of these security threats to your VoIP systems manifest in reduced service. Malware and viruses, which affect internet-based applications, contribute to VoIP and network security issues. These damaging programs specifically consume network bandwidth and add to signal congestion, which causes signal breakdown for your VoIP calls. These also corrupt data being transmitted across your network, which means that you’ll experience packet loss.
Malware and viruses do a lot of damage by themselves, but they also contribute to future vulnerabilities by creating Trojan backdoors. These backdoors leave gaps in your security that future hackers exploit to call tamper or steal information relayed in your calls. IT teams should employ data security measures such as encryption and regularly check for network infection to protect VoIP systems from malware and viruses. The top SOHO routers from brands like Asus actively block malware, even going so far as to block dangerous sites from your network.
One of the top tricks that fraudulent programmers use to expose security weaknesses in call center fraud is spoofing. Caller ID spoofing allows the caller to imitate the numbers of legitimate agencies, and they then leave a message indicating that suspicious activity is occurring on an attached credit card account. The victim organization is then sent to a number where they have to verify their credentials, which usually includes disclosing sensitive information.
Sound familiar to email-based phishing? Vishing is VoIP-based phishing, and it’s particularly hard to trace, especially since any numbers used usually to originates outside of the country. To prevent vishing, targeted agencies should verify all phone requests, even if they seem to come from the organization’s IT department. Agents also need to be trained to refuse to disclose sensitive information unless cleared by supervisors.
The next two security vulnerabilities are going to sound somewhat gross but they represent sincere threats. Voice over Misconfigured Internet Telephones, or VOMIT, is a software tool that grabs voice packets and siphons information from a VoIP phone system. It’s a type of eavesdropping that not only takes data from your system, but it helps the attacker gather information like the origin of the call and other data about your business. The information that is gained through eavesdropping contains passwords, usernames, phone numbers, and bank information.
Consider using a cloud-based VoIP provider that encrypts calls before they are sent. This is useful for healthcare companies that require VoIP encryption to make a system HIPAA and HITECH compliant. Make sure to follow guidelines from VoIP providers so that your system stays compliant with today’s communication infrastructure. Also, consider building a private PBX network that is more secure than a public network.
SPIT, which is spam over IP telephony, is similar to the spam that you get in emails. SPIT is prerecorded messages that are sent on VoIP phone systems. These calls are mostly a nuisance that ties up your virtual phone numbers, but the spam carries other risks with it, such as viruses, malware, and other malicious attacks on a business.
A solid VoIP solution helps to ensure that the spam is not damaging to your phone system. There’s not a way to prevent SPIT entirely, but having a firewall helps identify the spam when it arrives and controls it so that it doesn’t overwhelm your system.
9. Service and Identity Theft
Service and identity theft is something that happens on VoIP networks due to phreaking. This is a type of hacking that steals information from your system. If your SIP trunks are not encrypted, the information is vulnerable to third parties by accessing things like voicemail. Business data changes occur when a system is being hacked, and things like call forwarding information and calling plans are often affected. Cybercriminals even take over parts of the VoIP network and make expensive calls on your dime, which is called toll fraud.
Billing information that is saved in the system can also be stolen. To prevent this from occurring, make sure that your phone lines are secure by limiting access with a strong password. Keep software updated, and make sure that all data transfers are encrypted. Ransomware protection tools also help protect against service and identity theft.
10. Updating Systems
Did you know that you should be keeping up with regular updates for your VoIP-based firmware and software? Technology administrators tend to ignore updates for devices like IP phone handsets because traditional analog phones didn’t need this kind of patching. Security patches are a critical aspect of maintaining your VoIP infrastructure’s security, even if it briefly takes the system down or requires additional work hours. This is because they often introduce technology to fix packet loss and shore up weaknesses.
For most VoIP phones, the trivial file transfer protocol (TFTP) is the primary system for delivering security patches. Unfortunately, this presents a security vulnerability because any hacker can present a simple file into the system that exposes vulnerabilities and gives the hacker an entry point into the network. To prevent this, security measures need to be in place for protecting hardware from fraudulent patching, and VoIP phones must be regularly patched by IT staff to prevent any vulnerabilities from being exploited.
11. Network Security Issues
You need to perform regular security assessments for your entire network – not just your VoIP infrastructure. You’d be surprised at how a simple lapse in your network security leads to major impacts on the quality and security of your VoIP calls. Optimally, security assessments should be performed by independent and verified security agencies so that nothing is missed that could lead to problems down the line.
Some of the areas that need to be addressed by an independent security assessment include:
- Gateway assessments – VoIP is transferred to PSTN lines by VoIP gateways, and protection mechanisms need to be in place at these endpoints as well as in other endpoints on your network.
- Firewall configuration – Your firewall needs to keep out cyber criminals and allow data packets you sent out to travel unhindered.
- Cyberattack simulations – These are performed to help your organization assess its vulnerabilities and improve intrusion detection.
- Application-based security scanning – An average business network uses multiple applications for a variety of functions, and each should be scanned for issues.
- Patching procedures – Patching procedures should also be assessed to determine if software/hardware has weaknesses that might be exploited.
The benefit of these assessments is twofold: A secure network is beneficial for the entire business and clears up any VoIP security blind spots that have been introduced by your VoIP system.
12. Mobile Phone Security
It’s very common in modern VoIP for service providers to embrace smartphone handsets on both Google’s Android and Apple’s iOS. These mobile VoIP apps are very advantageous for those offices with teams that have to be away from their desks for protracted periods. Using these handsets on a properly secured network keeps these safe, but what happens when a device is used over public Wi-Fi for VoIP?
Unfortunately, most public Wi-Fi uses 802.11x wireless connections, which are vulnerable to cybercriminals. To protect your devices from hackers on free networks, you need to use software that encrypts all data being sent and received.
Additionally, your wireless access points must be protected using more secure protocols than 802.11x, such as WPA. WPA uses encryption to protect connected devices. Finally, a session border controller helps your remote employees connect to SIP trunks while maintaining the security that you need by analyzing all incoming and outgoing VoIP traffic for vulnerabilities and attacks.
Weak Security Could Cost Millions
A VoIP phone system always has security risks, and the more it is used, the more you have to shore up its vulnerabilities. The best thing to do to protect your business’s information is to steadily increase the level of security within the system. When a business is upgrading to a VoIP phone system, enhance security within the network by:
- Updating computer operating systems outside of call times
- Having firewalls in place that work with VoIP
- Using layered security and VPNs for mobile or wireless calls
- Requiring authentication to keep unwanted users off of the VoIP network
Several cloud-based providers put a heavy focus on VoIP security and employ geo-redundancy in their servers. Georedundancy keeps calls consistent by parsing them to different servers, even when there’s been a cyberattack. These providers also employ endpoint security for your connected devices and have dedicated teams that consistently scan your system for vulnerabilities.
Wondering where to start? GetVoIP has put together full comparisons of some of the top hosted PBX providers – all of which have strong security practices in place