VoIP Cyber Security Risks For Corporations

Media Division | April 24, 2014

At the core, one of the biggest goals of VoIP (Voice over IP) technology is to foster and maintain low communications costs. Any corporation can create a VoIP network, but one of the challenging parts is to determine what kind of practices would protect against security risks during use.

VoIP systems are growing substantially, with millions of corporations already using them to slash costs and leverage their data networks efficiently. Infonetics Research says the number of phones connected to a VoIP communication service is expected to double the number from 2012 to 2016.

While this consolidation is reducing costs, it is also placing greater security demands on network servers. Compounding the issue is the fact that VoIP technology is internet bound which makes it even more vulnerable. In fact, the internet opens the telephony system to new kinds of threats that simply don’t exist in its traditional counterparts.

Corporations should be aware of the following VoIP vulnerabilities:

DoS (Denial of Service) attacks

VoIP implementations sometimes leave TCP/UDP ports open and without monitoring, these default services could create an environment suitable for a distributed DoS or DoS attack. Though the attack may not penetrate the entire network, it may render a system unusable by flooding it with requests.

The FBI and Department of Homeland Security warned against such attacks using the telephony system last year. TelePacific Communications suffered a massive DDoS attack originating from the internet in the shape invalid VoIP registration requests, which suddenly shot up and flooded the company’s systems. The end result was no calling ability and hundreds of thousands of dollars lost in customer credits.

To combat and prevent these attacks, enterprises must ensure unnecessary ports are patched, and that the network is monitored properly for potential vulnerabilities. Affected network segments should be shut down to block more activity.

SPIT (spam over internet telephony)

SPIT or VoIP spam involves sending of prerecorded, unsolicited messages over VoIP to enterprise servers connected to the internet. Dialer programs makes internet telephony a more effective channel for spam as messages can be sent in bulk instead of dialing each number again.

Also, VoIP attracts spammers because it gives callers anonymity, according to Graham Titterington, principal analyst at Ovum. An enterprise may be using multiple VoIP numbers in different departments, encouraging far more spam activity than is the case with traditional call-charged networks.

So when you are looking at VoIP installation, you may need to introduce a set of policies. This can involve defining which handsets/devices will only have access to white list IP addresses, and which VoIP devices will have open usage, with IP addresses that are known to be VoIP spam sources blacklisted. Encryption of messages over VoIP will help protect them from replication, as well as the confidentiality of their content.

Voice phishing/ vishing

This electronic fraud tactic can trick employees, vendors, suppliers and any other party associated with your organization into revealing personal information and critical financial credentials to unauthorized entities.

The victims of these attacks usually receive an email, telling them there is an issue with their password or account. The recipient is then asked to dial a number, which connects them over VoIP to private branch exchange (PBX) running an IVR system sounding exactly like an official phone tree. It can ask the victim to enter in account information, pin code and even some other verification like billing ZIP code.

To avoid vishing scams, the best measure is to incorporate anti-phishing software with your PBX, which will detect and filter out all the suspicious calls. Employees should also be educated on voice phishing scams, and any phishing suspects should be reported by sending an email to reportphishing@antiphishing.org.

VoIP eavesdropping

Cyber criminals are finding it easy to intercept VoIP conversations, and as most of these conversations travel across the internet, hackers can capture VoIP call packets just like data packets – and they can do it from any location. Attackers then use networking sniffing tools to capture data packets for live or offline analysis.

Attackers then translate the captured data into a voice conversation using tools such as VolPong and VOMIT. Such tools convert data packets into files that hackers can open in any media player software to play phone conversations.

The risk can be greatly reduced by encrypting the digitized VoIP signal. An attacker who manages to intercept data packets will be unable to decipher encrypted calls without accessing corresponding decryption keys.

Bottom line

While there’s no such thing as a totally secure VoIP, a combination of solid security practices can help you safely leverage the technology in your organization.

And ultimately, once you start securing your VoIP infrastructure, you will realize it involves nothing that is drastically different from measures you have always taken to protect your data.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.