In the past, security has not been a major concern with VoIP (Voice over Internet Protocol) telephony. Businesses and individuals were more concerned about call quality than they were with threats to their VoIP networks and devices.
However, now that VoIP is becoming mains and threatening to make traditional PSTN (Public Switched Telephone Network) telephony obsolete, there is a growing concern about VoIP’s vulnerability to a range of security threats.
VoIP uses the Internet to make and receive phone calls, and because of this VoIP networks are vulnerable to the same sort of attacks and hacking threats as any other Internet-based device. This article looks at the main threats specific to VoIP and describes ways in which you can make your VoIP network or device more secure.
A phone call is a commodity like anything else and, as was the case in the days of analogue-only phones, there are always those intent on stealing what others pay for. While some VoIP threats are related to the theft of sensitive business information and some are malicious attacks by disgruntled employees and customers, the majority are attempts by criminals to steal phone calls, identities or information that will allow them to steal from bank accounts.
The main VoIP threats emerging today are as follows.
This is the VoIP version of Phishing, which is a common ploy used in emails. Criminals pose as authorities or representatives of legitimate organisations, such as banks, with the intention of tricking the call recipient into revealing sensitive information like passwords or credit card details. While most people are now suspicious of emails asking for sensitive information, few are aware of Vishing as yet and are less likely to be on their guard when receiving such calls.
This is a form of service theft, where a criminal steals service from a VoIP service provider or steals a user’s credentials in order to make phone calls, which are then charged to the user. Phreakers also use those credentials to manipulate user accounts, change call plans and add credit in order to steal even more calls.
Eavesdropping is where someone listens in on another’s VoIP phone call in order to learn sensitive information such as phone numbers, passwords or credit card numbers. It is one of the most common methods used by criminals to steal credentials, which can then be used to create false identities and steal service.
Denial of service
This is an attack where a phone network is flooded with unnecessary SIP call signalling messages with the intent of consuming all the available bandwidth and shutting the network down. While this may sound like a purely malicious form of attack, there is a reason for denial of service attacks. While the system is down, the attacker is able to take control of its administrative functions for their own purposes, which usually involve theft of some kind.
This stands for Spamming Over Internet Telephony and is a form of spam similar to email spam. The spammer can send hundreds of unsolicited voicemail messages to known IP addresses, which can ultimately clog up voicemail boxes due to the large size of the data packets. As well as creating a nuisance, SPIT can also be used to transmit viruses and malware.
Viruses and malware
These have been around for years now, with new ones being developed all the time and because VoIP telephony uses the internet, it is vulnerable to the same kinds of viruses, worms and malware as computers are. This malicious code can render a system inoperable or hijack its functions and can be transmitted in voicemail messages.
Also known as a ‘man in the middle’ attack, this is where a criminal intercepts a VoIP call before it is connected and then poses as the call recipient with the intention of gaining sensitive information or hijacking further calls through a redirection server. Providing the caller is calling someone they don’t know, such as a help desk or a business, the hijacker can request sensitive information from them without them being aware that they are being scammed.
Clearly there are a lot of potential threats to a VoIP network or device, and security needs to be taken seriously by everyone, particularly businesses. Some of the recommended ways to reduce your risk of attack are as follows.
Invest in anti-virus and anti-malware software and ensure it is updated regularly whenever new patches become available.
Restrict access to the network to those with usernames and passwords, and ensure passwords are complex and changed regularly.
Set up firewalls to filter data travelling in and out of the network. If the network is controlled by a central server, installing firewall software on that server will protect every device in the network.
Install encryption software on your network or choose a service provider who uses industrial strength encryption (256 bit), so that if data is stolen it cannot be deciphered.
Monitor call logs regularly, looking for unusual call patterns or call destinations and stay informed on any new developments and improvements to VoIP security.
Train staff to be aware of known threats such as Vishing, and adopt best practice procedures for dealing with security threats.
Ensure that your service provider is using all of these methods to protect you and your data.
Just as computer networks using the Internet have always been vulnerable to attack, so VoIP networks now face the same kind of threats.
And while no security system can be entirely foolproof, adopting the measures suggested here and remaining aware of who you are talking to on the phone can help to ensure that your VoIP network or device is as safe as it can possibly be.
The bottom line is, as new security measures are developed so new threats emerge, and the price we must ultimately pay for versatile, low cost, feature-rich communication is unfortunately eternal vigilance.