There's no question that there are benefits to moving to VoIP. Cost savings is one of the major drivers for this transition to a converged network. Other movations are flexibility, scalability, and feature sets that a network managed telephony platform can provide, but... IS VoIP SECURE?
"The security threats cause even more concern when we think that VoIP is in fact replacing the oldest and most secure communication system the world has known - POTS (Plain Old Telephone System)."
Switching to this methodology is definitely appealing, but one would be remiss to ignore the fact that like every other device on a network, there are vulnerabilities to hackers and cyber attackers if not properly protected. These types of malicious acts can expose a company to fraud, data theft, and various other financially damaging impacts.
Here's an in-depth look at the threats to VoIP users
& how to make them safer
IDENTITY AND SERVICE THEFT THREATS
Phreaking is a type of hacking that steals telecom services from another service provider or service while passing the cost to another person. Can't say that there weren't ways to do this in the POTS world but, it is a great deal more accessible in the world of VoIP. This vulnerability is due to SIP functioning at the application layer of the OSI stack. SIP is a protocol which controls the authentication over VoIP calls. If it is not encrypted, it could leave user credentials vulnerable.
Not exactly a new idea but eavesdropping is a common way hackers steal credentials and other information. By eavesdropping a third party can obtain passwords, phone numbers, and other identification markers allowing access to voicemail, billing information, and even call forwarding - from which service theft can result.
Obviously, the potential damage from eavesdropping doesn't end at a service threat but, think of the business data that can be exploited from the monitoring of conversations. A phreaker can have full access to accounts creating untold damage.
Vishing is another word for VoIP Phishing (or social engineered hacking), this is where a party contacts you and fakes being a trustworthy organization. They request confidential and often critical information. It seems easy to combat, but this form of intimidation is often used to lure you into believing it is real.
Here is an example, a person was informed about the suspension of their account by their bank because it was supposedly used to purchase “obscene or certain sexually oriented goods or services." The message went as follows: "We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of [Bank's Name] Acceptable Use Policy. Therefore, your account has been temporarily limited for: [some website]. In order to remove the limit please call our TOLL FREE number [Which was obviously not the bank's phone number]." The victim was asked to enter certain information, including their bank PIN, using the following statement, "[Bank Name] asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities." Seems kind of legitimate right... someone obviously was trying to hack their bank account, however it was more vishing than hacking.
VIRUS AND MALWARE THREATS
One of the best features about VoIP is it's softphone functionality. Softphones are applications that run on a PC or laptop and use that device as an endpoint. It allows you to take your "desk" phone with you. However, having software that runs on your PC opens the potential for virus or malware applications to directly connect into your network.
SPIT (Spamming over Internet Telephony) THREAT
Spam in the world of email, results when multiple communications to a user account are sent by a server that are unrequested and unauthenticated. Often the email service provider will provide a filter to remove these emails when this is done, these will go to a spam folder. Spamming in VoIP is not very common but is possible.
VoIP Spam is similar but it takes the form of VOICEMAIL. This is form of solitication is often overlooked however, when you cross this with phishing, it is easy to see what can happen. Voicemail is often considered more secure than email and more trustworthy. However, in this scenario, the same vishing threats are possible - Yes, bank account information disclosure...
DoS (Denial of Service) THREAT
A DoS attack, is an attack that is executed by denying access to resources. This can be done by overloading the network and flooding it with requests making it unavailable for connectivity. In VoIP a DoS attack could involve SIP call signaling messages by spamming the call processor with messages it can degrade calling or stop it all together.
Call tampering is another malicious form of degrading the quality of service of phone calls in progress. By injecting packets into the data stream an attacker can degrade the quality of a call. It is also possible to block the packets in progress so that the communication is spotty and broken.
MAN IN THE MIDDLE ATTACKS
VoIP is particularly vulnerable to man in the middle attacks, in which an attacker intercepts call signaling SIP message traffic and pretends to be the calling party to intercept incoming calls. At this point, they can hijack calls with a redirection server and takeover incoming and outgoing.
What can I do?
Make sure you are in control of your system so that someone else isn't. These are a few things to make sure you are protected or you can click the button above for physical test by a technician.
A virtual private network is a great way to keep your data encrypted across your network as well as from the outside. You want to provide a VPN for those connecting to your network so that both your data and voice security can be maintained.
Attacks can happen, consider using a managed service provider that does 24/7 monitoring. It is a great way to keep an eye on your network even when you cannot.
This almost goes without saying but, encourage your users to create passwords that are strong with some complexity. Be careful not to require too much complexity as that can cause password listing. When a user creates a password that conforms to security but isn't meaningful, they tend to write them down. By encouraging meaningful passwords it reduces the likelihood of listing which in turns increases security.
VoIP - Ready Firewalls
Firewalls are a corporate expectation, and though you have one, it is important to validate that it effectively protects your VoIP systems. Make sure your system is protected.
Often overlooked and expected, user education is the only way to protect against socially engineered hacking. Your users will often be the weakest link in your security strategy. Share information with your users letting them know what is and or isn't the best way to handle email. Remind them to never give away information that is confidential to a unauthenticated source. When in doubt - don't give it out!