VoIP Security: Vulnerabilities & Best Practices

VoIP Security: Vulnerabilities & Best Practices

As our communications shift over to the digital space, businesses are benefitting from higher quality and more uninterrupted services. But, with the many advantages of communications technology like Voice-over-Internet Protocol (VoIP), it’s important to implement the best security measures to best protect your operation and your clients.


What is Voice-over-Internet protocol (VoIP)?

This is a business communications technology that allows you to connect with staff internally and clients externally using internet rather than the traditional analogue system. This means no more issues with telephone lines – weather, theft, or maintenance – but rather a reliable service that improves operations.


What are the VoIP security risks?

Unfortunately, the rise of cybersecurity over the past few years has had a massive impact on how businesses are run and the need for increased security measures. With VoIP, there are several specific security risks that you have to consider, and ways to prevent substantial economic losses and reputational damage in the process.


1.     Toll fraud

Criminals are always coming up with new ways to steal valuable data, personal information, and funds. When it comes to VoIP, toll fraud is one of the most common threats to a business – and here is how it works. Basically, a criminal will hack into your VoIP network to make bulk international calls which racks up a massive bill. They are essentially using your company to allow users to make international calls and then collect the revenue. Unfortunately, many companies only realise they’ve been the victim of toll fraud when they receive their massive bill at the end of the month.


2.     Vishing

This is VoIP-based phishing to scam people by using a caller ID from a legitimate source – in this instance, it would be from your business. The caller will pretend to be from a company, and contact a victim in an attempt to get private information such as ID numbers, passwords, or banking details over the phone. If the scammer is successful in accessing this private information from victims, they will then use this information to defund the victim through security breaches.


3.     Call tampering

Another trick of hackers is to break into your VoIP system using data packets as a way to disrupt your communication channels. This is a really vindictive form of hacking that will result in reduced audio quality, interrupted service, and system delays. Over time, this form of call tampering can lead to significant damage to your reputation as customers will become irate with the unreliable communication system.


4.     Spam over Internet Telephony (SPIT)

This one is as vile as the name suggests! Hackers will create pre-recorded messages and implement robocalls to various victims who will then, unsuspectingly, answer the call as it’s from a legitimate number. Unfortunately, these robocalls can carry viruses and malware that result in very high international calling fees for the recipient. This can be hugely detrimental to your business reputation and very costly for the victims.


5.     Packet sniffing

When VoIP first came onto the market, something called ‘packet sniffing’ was developed as a way to examine the quality of telephone lines that were carrying internet data across the entire network. As is so often the case, cyber criminals discovered a way to take emerging technology and use it for ill-gotten gains, with packet sniffing now used to carry out attacks on small-to-medium sized businesses. What they tend to do is record and steal unencrypted information in voice data packets, preventing them from getting to their destination.


6.     Distributed Denial-of-Service (DDoS)

In this particular VoIP attack, hackers will flood the service with requests as a way to use up its bandwidth and, once deprived of resources, the business is unable to use its VoIP services. To carry out this attack, hackers will use what’s known as zombie computers made up of botnets. Once instructions are sent to the botnets, the network becomes overwhelmed leading to increased latency and poor call quality.


7.     Man-in-the-Middle / Eavesdropping / Voice Over Misconfigured Internet Telephone (VOMIT)

Depending on the criminal intent, there are several types of eavesdropping attacks to watch out for. There’s the call hijacking, call tapping, and man-in-the-middle attacks where the hackers can listen in on your active calls (including video and conference calls) and even record your VoIP communication or access existing recordings. Alternatively, hackers will use VoIP to access other sensitive company information including usernames and passwords, phone numbers, location data, customer lists, call forwarding, billing details, and more.


8.     Spoofing

This seemingly simple technique sees individuals impersonating your staff by hacking into the VoIP system. Once they’ve gained the trust of the individual, they will then use this to access personal information or steal valuable data.


9.     Phreaking

Combining ‘phone’ and ‘freak’, phreaking is the use of audio frequencies to infiltrate and manipulate phone systems. What hackers will usually do is infiltrate your VoIP system as a way to adjust your account credits, change call plans, access voice mail, steal billing information, and make long-distance calls on your account. This is often only picked up when the phone bill arrives at the end of the month.


10.  War dialling

One way cybercriminals manage to access your VoIP is by setting up a computer programme to mechanically scan lists of phone numbers looking for an access point into poorly secured devices. This war dialling is essentially dialling large volumes of phone numbers, eventually landing an easy target.


What are some tips for securing VoIP?

You need to ensure that your VoIP system is not that easy a target! It’s clear that there are several security vulnerabilities that cybercriminals are already taking advantage of – and many they will look to take advantage of in future – so you need to implement the security best practices to protect your VoIP now.


1.     Update your PBX and SIP endpoints

You will need to update your firmware and software so that it creates a protective shield for your PBX and SIP endpoints. Just keep updating your software as these will typically have the most security for current bugs and vulnerabilities on the market.


2.     Avoid port forwarding

Port Forwarding is the mapping of an external port on your IP address to the PBX within your private Local Area Network (LAN). What this does is expose your PBX digitally, bringing potential hackers to your door to launch cyber-attacks. Tunnelling services are offered by security providers that have encryption technology to properly secure your business communications.


3.     Protect against network security threats

You must ensure that your company’s entire network is protected from the public. This means you must avoid ever exposing your PBX intranet by blocking any unauthorised access. This will help to protect you against attacks such as DDoS, toll fraud, vishing, and more. You can restrict access to specific PBX administrators with customised privileges depending on what is needed. There’s also the option of restricting access from certain countries or regions to prevent call tampering, as well as implementing firewall rules to block traffic from certain IP addresses, ports, and more.


4.     Ensure you have strong passwords

When it comes to protecting your VoIP from vulnerabilities, then passwords are the most important aspect to consider. You must implement strong passwords across your PBX for registrations, administration and user web interface, voicemails, and more. When it comes to choosing a password, some tips to remember include:

  • Avoiding passwords you’ve used before.
  • Using different passwords for different accounts.
  • Using a password with at least 8 characters, including a mix of upper case, lower case, and digits.


5.     Put limitations on calls

The reality is that hacking attempts generally occur after hours when the system is not being attended to which is why implementing a limitation feature on your outgoing and incoming calls. There is generally a Time Condition feature, but you can also limit the lines that can make international calls, as well as place a limit on the number of outbound calls within a pre-set time interval to prevent war dialling. There’s also the option of implementing access control so that only senior administrators can view settings and adjust configuration values.


6.     Keep your data backed up

In the event of your VoIP system being hacked and data lost, it’s important that you have all the system data backed up on a file for immediate recovery. This means implementing a stringent backup retention policy which keeps you secure in the event of data loss from theft or physical destruction.


7.     Consider a redundancy solution

You could also consider a mirroring server pair which will ensure there is immediate recovery when a failure occurs. These standby servers will ensure a complete system switch when an active server fails, with instant alerts in the event of a failure.


8.     Anti-hacking mechanisms

There are also certain anti-hacking mechanisms you can implement to protect your VoIP system from cybercrime. These include elements such as blocking IP addresses if they try and fail to register too many times, as well as limiting the extension registration to LAN only.


9.     Implement encryptions

You need to secure your SIP trunk so that your voice packets are protected when transferring from your business to the recipient. This can be done by encrypting your communication through a Transport Layer Security (TLS) as well as

Secure Real-time Transport Protocol (SRTP). This protects your VoIP system from eavesdropping while keeping your audio-visual sessions protected from malicious activities.


What to check when getting VoIP security

Installing a VoIP system is a worthwhile investment for business operations, cutting costs and improving the quality of your communication drastically. However, you must ensure you’re working with a provider who can offer the latest in security systems as well. When getting VoIP, check that:


  • Tunnelling services: This is where an intermediary (tunnel) server is used to transfer data between the PBX and SIP endpoints.
  • Encryption: Your PBX should have its own encryption key so that, even if the data is accessed, it is encrypted.
  • Remote access: This will allow you to permit or block access remotely.


To find out more about VoIP, security vulnerability, and best practices, get in touch with the industry leaders, ECN today.

Leave a Reply

Your email address will not be published.