Connecting any kind of device to a network that is linked to the internet introduces an element of risk. In fact, the more connected devices you have, the bigger that risk becomes. This issue has been highlighted by the recent proliferation of the Internet of Things devices, but it applies equally to the spread of VoIP based voice communication systems.
VoIP attacks are on the increase; because the technology uses the same network for your voice and data traffic, there’s the possibility that a hacker can gain access to your network via an IP phone connection. Many systems integrate with smartphones too, leaving open another potential avenue of attack.
If you are switching to VoIP to take advantage of wholesale VoIP termination rates from specialists such as IDT Express, you need to be aware of the potential threats and what you can do about them.
Plans of attack
VoIP can use a number of different communication protocols. Most common is SIP – which unsurprisingly is also the most compromised – but there’s also H225 as well as proprietary systems including Cisco’s SCCP.
The exact means of attack will vary according to the protocol in use, but they tend to have common goals. Malicious calls can be used as a form of DDoS attack to overload and attempt to take down the network. This can be an end in itself, to disrupt business or demand a ransom, but it can also be used as a means of distracting from another attack on the network with the intention of stealing data or introducing malware.
Attackers will try to gain as much information about your VoIP system as they can, the quantity of numbers in use, how many extensions there are and so forth. They can then use this information to bombard your system with spam calls themselves, or more likely sell your details on to rogue call centres. It’s also possible that they will attempt to gain access to your system in order to make calls on your account so that you pick up the bill.
This is known as ‘toll fraud’ but it can go much further than just allowing hackers to make unauthorised calls. With sufficient access to your network, they may even be able to set up an extra ‘ghost’ hosted PBX, allowing them to make lots of fake calls that you end up paying for.
How to protect yourself
So we’ve looked at some of the common motives for attacking VoIP systems. But what can you do to guard against them? Many security professionals now believe that network attacks are a matter of ‘when’ rather than ‘if’. In many cases, the attackers’ lives are made easier thanks to misconfigurations and poorly enforced security policies.
Many of the things you can do to protect your VoIP system are straightforward. Using strong passwords, for example, is essential. Never leave the default password set on any phones or other devices and ensure that employees always use their own access codes and don’t share them with anyone else. Avoid weak passwords such as the name of your business and make sure you enforce a mix of upper and lower case characters and numbers to make passwords harder to crack.
VoIP calls are actually harder to intercept than old-fashioned PSTN calls. However, if you are worried about exposing sensitive information, you can also look at encrypting network traffic so that if call data is intercepted, it remains useless to the attacker. You may well already have the capability to do this built into your router or firewall, so it could just be a case of turning encryption on.
If you have employees accessing your VoIP system from outside – on mobile devices or when working from home – you might want to consider using a VPN. This creates a secure ‘tunnel’ through the public internet so that your information can’t be intercepted and it allows remote workers to access your network as if they were in the same building.
Errors in configuration can often lead to vulnerabilities and these are easily overlooked. It’s therefore important that you test your network to find any weaknesses which you can then address as necessary. If you don’t have the capability to do this yourself, there are specialists that can do it for you.
Finally, don’t forget your staff. Making sure that people are properly trained in using the system and in using it safely and securely is a vital step in ensuring that your VoIP system and the whole of your network remains safe.
Taking steps now to ensure your network is protected is far preferable to having to pick up the pieces of a data breach – with all of the potential reputational and financial damage that entails – at a later stage.
