If there's one rule of online crime today, it's that if something is online, criminals are looking for ways to subvert it. So when developing security systems for a network, it's vital to address every possible vector for attack. Unfortunately, one key system often goes forgotten during security reviews, and that can mean very bad news for businesses: a VoIP phone system.
It's easy to take a telephone system for granted, but hackers are coming up with new ways to exploit VoIP systems all the time. The threats presented by phone-based hacking are every bit as serious as other attack types.
What Hackers Can Do If They Gain Access To Your VoIP Phone System
There are a surprising number of ways a VoIP system can be subverted. For example:
Toll Fraud: Having gained access to your VoIP lines, the criminals then become their own private phone company - with you paying the bill. They'll often even resell your service for their profit.
Spamnets: Much like how a compromised computer can become part of a botnet spreading email spam, a compromised VoIP system can be used to spread voice spam - potentially even getting you into legal trouble under Do-Not-Call legislation.
Eavesdropping: Any and all private or confidential information discussed over your phones can be captured and used against you.
Voice Phishing: Having direct access to your VoIP system makes it easier for criminals to spoof (falsify) calls from seemingly-genuine sources, for the sake of gaining confidential information.
DDOS Attacks: If attackers want to cripple your business, directly targeting a SIP server is a great way to do it, particularly since they usually don't have robust anti-DDOS protections.
Not to mention, in many cases, gaining access to a company's VoIP system ultimately allows attackers to gain access to other critical systems. So a VoIP attack also presents all the same threats as any other network\data attack.
It's important to note that these concerns are valid whether you're receiving VoIP from a third party provider, or you run your own SIP and PBX interface on-site. However, if you're doing everything on site, you're probably at higher risk.
Protecting Yourself From VoIP-Based Attacks
Largely, security for a VoIP system is the same as for any other major part of your network. The problem is that so many businesses forget to give it suitable protections. In particular:
1 - Always change the default passwords.
This should go without saying, except you'd be surprised how many businesses don't bother.
2 - Have discrete logins for any admin who controls the system.
Never share usernames and passwords between administrators. Everyone should have unique credentials.
3 - Deploy anti-virus and anti-malware software.
Yes, there are software packages and network architectures which can provide antivirus protections to your phones too.
4 - Utilize Session Border Controllers
SBCs guard the edge of your network, such as where your VoIP system interfaces with the networks outside your building. They're like firewalls for your VoIP.
5 - Password-protected phone calls.
It's a bit of a pain for your workforce, but will greatly reduce the ability of someone to make calls even if they gain access to your system.
6 - Always review call logs.
Regularly go over all your logs and look for any anomalies, particularly out-of-country calls to areas you don't do business in.
7 - Implement Secure Real-Time Transport Protocol (SRTP)
SRTP is end-to-end encryption on VoIP calls. It can degrade call quality somewhat, but in many cases - particularly if you deal in sensitive information - it's a worthwhile trade off.
Are you concerned about your on-site security? Contact Hummingbird Networks today to request a free consultation on your security measures!
