Since Voice over Internet Protocol (VoIP) technology began to take off in 2004, VoIP has enticed millions of consumers and businesses with the promise of lower costs, increased efficiency and added convenience.
And the market is still growing – fast! Growth is forecast at 9.87% CAGR between 2017-2021, and will be driven by consumer and business demand for low cost international calls, mobile VoIP and reduced infrastructure.
However, issues surrounding VoIP security are stopping some businesses and individuals from benefiting from the technology.
To help you understand and minimise VoIP security threats, we’ve created the VoIP Security Guide and Protection Checklist.
The aspects of VoIP which make it so powerful – its flexible, open and distributed design – are the same as those which open it up to potential threats. There is no central body responsible for designing, implementing and monitoring VoIP. And that makes VoIP security particularly complex. Below is a list of some of the most common attacks and what you can do to prevent them.
Phishing is the practice of sending emails purporting to come from a reputable company to encourage individuals to reveal confidential information, such as passwords and credit card information.
Voice Phishing – or Vishing – applies this concept to voice calls. Skilled “vishers” can manipulate common VoIP features – such as caller ID and interactive voice response systems (IVR) – to appear more respectable. Vishing attacks are very difficult to trace.
Education and awareness is the best defence against vishing. Every member of your team should:
By flooding a network with excessive amounts of data, attackers can disrupt services and render your network temporarily unavailable.
A variant of DoS attacks is the Distributed Denial of Service attack (DDoS). These use multiple computers to increase the amount of data transmitted and are therefore more powerful.
By following VoIP security best practice strategies, you can reduce the size of DoS and DDoS threats and make it difficult for even a sophisticated attack to be successful.
Aimed at VoIP, DoS and DDoS attacks often aim to overload the handsets with call-signalling messages sent over the Session Initiation Protocol (SIP). When the handset receives a flood of traffic it may be forced to reset. To prevent this:
To prevent a DDoS attack on servers and software used to run the phone system:
No system can be completely insulated from the threat of DoS and DDoS attacks. However, with the right measures in place, the threat can be significantly reduced. It’s far better to prepare in advance than get caught out.
VoIP communications are no more, and no less, vulnerable to interception or hacking than landline phones – a practice which has gone on for years.
There are different techniques for intercepting a VoIP call. For example, an attacker can connect to the same frequency or URL as a VoIP phone and begin listening. Or, by placing a “bug” in the server, an attacker can intercept voice packets being sent and received.
Spamming over Internet Telephony (SPIT) involves the bulk broadcast of unsolicited VoIP messages. Irresponsible marketers can use spambots to accrue large numbers of VoIP addresses or may hack into a computer used to route VoIP calls. Because it is hard to trace calls routed over IP, attackers may use SPIT techniques to defraud people.
A common misconception is that VoIP systems are more vulnerable to SPIT than non-VoIP systems. This is not true. SPIT attackers use VoIP on the sending side, not the receiving side. This means that POTS destinations are just as vulnerable.
Caller ID spoofing is the practice of causing a telephone network to indicate that a call is originating from a false station. Attackers will often make it looks as though their call is originating from a trustworthy source – such as a bank – to induce victims to reveal confidential information.
A blanket term used to describe malicious software, malware includes viruses, spyware, adware, worms and Trojans. As with any internet application, VoIP networks are vulnerable to malicious code.
War dialling involves automatically scanning and dialling large volumes of numbers – often every number in a local area code – to search for modems, computers, computer servers and fax machines. This information can then be used by attackers to achieve multiple things: guessing user accounts, locating entry points or even just for fun.
A war dialling penetration test looks for weaknesses in your VoIP system. This will:
A penetration test allows your organisation to test whether an attacker can discover and access services, as well as provide recommendations to keep you safe.
By relaying and possibly altering communication between two parties who believe that they are directly communicating with each other, man-in-the-middle attacks can be a significant disturbance for companies. Attackers use man-in-the-middle attacks to eavesdrop or to interfere with information being communicated.
An attacker may disable a valid SIP registration and replace it with their own IP address. This allows them to intercept, reroute, replay or terminate calls as they choose. Victims of registration hacking often do not know that they have been hijacked.
□ Choose VoIP protocols and equipment carefully
□ Turn off unnecessary protocols
□ Consider separating VoIP and other IP-based infrastructures
□ Authenticate remote operations
□ Separate VoIP servers from the internal network
□ Make sure the VoIP security system is able to track the communications ports by reading signalling packets
□ Use the Network Address Translation (NAT)
□ Use a security system that performs VoIP specific security checks
□ Limit max trunk calls and max calls per extension to your requirements
□ Update your server’s operating system and all associated software to the latest version and enable the latest security patches
Passwords and Access
□ Ensure that all passwords are unique
□ Ensure all passwords alphanumeric with at least eight digits
□ Ensure maintenance port access is only available to those with passwords
□ Ensure that passwords and access codes are changed regularly
□ Delete or change former employees’ passwords as soon as they leave
□ Ensure access PIN is set on smartphones which using VoIP
□ Limit external access to known IPs
□ Consider a creating whitelist of callable country codes/premium-rate numbers
□ Limit VoIP registrations to local network
□ Ensure that non-public facing extensions are accessible only via your internal network
□ Block access to unallocated mailboxes on the system and change default PIN on unused mailboxes
VoIP Security Checks and Backup
□ Enable VoIP logging to monitor activity
□ Check firewall logs on a weekly basis to identify potential threats
□ Monitor for evidence of hacking – e.g., out of hours calls and the inability to get an outbound line
□ Analyse billed calls by originating extension to identify unusual usage
□ Back-up your system at least once every 30 days
WMX Global is a leading communications and technology provider. We operate our own core network for international communications, and have developed relationships with renowned carriers across the globe.
WMX’s core network leverages multiple datacentres to increase resiliency and reach. We are interconnected with all major tier 1 carriers. Our network operates to the highest industry standards in performance, latency and security.
Each of our customers are allocated a dedicated account manager, responsible for the success of the services we provide to your business. We provide you with named contacts and support so you have direct access to key members with knowledge of your business and the services and support you require.
Our award-winning technical support team who take pride in helping customers reach a resolution as quickly as possible. And our engineers are all trained to third line standards, which means that technical enquires are dealt with effectively and efficiently by knowledgeable staff.
If you have any questions regarding VoIP security, don’t hesitate to get in touch.
1st Floor Heywood House, Ridgeway Street, Douglas, Isle of Man, IM1 1EW
All content EliteCommsGroup registered in the Isle of Man