Five tips to stay secure

Common threats to your VoIP system

Sheldon Smith
VOIP image via Shutterstock

VoIP remains a popular system for telephone communication in the enterprise. But have you ever considered the security holes this system is leaving you open to? And what company secrets are at risk of eavesdropping, denial of service and “Vishing” attacks?

Using a VoIP system to handle calls for your company? You’re not alone. In 2014, the worldwide VoIP services market reached almost $70 billion and is on pace for another banner year in 2015.

Despite the usability, flexibility and cost effectiveness of VoIP systems, companies need to be aware of several common threats that could dramatically increase costs or put company secrets at risk. Here are five of the most common VoIP threats and how your company can stay secure.

I – Transmission issues

Unlike plain old telephone service (POTS), VoIP systems rely on packet-switched telephony to send and receive messages. Instead of creating a dedicated channel between two endpoints for the duration of a call using copper wires and analog voice information, call data is transmitted using thousands of individual packets. By utilizing packets, it’s possible to quickly send and receive voice data over an internet connection and VoIP technologies are designed in such a way that packets are re-ordered at their destination so calls aren’t out of sync or jittery.

What’s the risk? The transmission medium itself. POTS lines are inherently secure since a single, dedicated connection is the only point of contact between two telephones. Though when voice data is transmitted over the internet at large, it becomes possible for malicious actors to sniff out traffic and either listen in on conversations or steal key pieces of data. The solution? Encrypt your data before it ever leaves local servers. You’ve got two choices here: Set up your own encryption protocols in-house, or opt for a VoIP vendor that bundles a virtual private network (VPN), which effectively creates a secure “tunnel” between your employees and whoever they call.

II – Denial of service

The next security risk inherent to VoIP? Attacks intended to slow down or shut down your voice network for a period of time. As noted by a SANS Institute whitepaper, malicious attacks on VoIP systems can happen in a number of ways. First, your network may be targeted by a denial of service (DOS) flood, which overwhelms the system. Hackers may also choose buffer overflow attacks or infect the system with worms and viruses in attempt to cause damage or prevent your VoIP service from being accessed. As noted by a recent CBR article, VoIP attacks are rapidly becoming a popular avenue for malicious actors — UK-based Nettitude said that within minutes of bringing a new VoIP server online, attack volumes increased dramatically.

Dealing with these threats means undertaking a security audit of your network before adding VoIP. Look for insecure endpoints, third-party applications and physical devices that may serve as jumping-off points for attackers to find their way into your system. This is also a good time to assess legacy apps and older hardware to determine if they’re able to handle the security requirements of internet-based telephony. It’s also worth taking a hard look at any network protection protocols and firewalls to determine if changes must be made. Best bet? Find an experienced VoIP provider who can help you assess existing security protocols.

III – Eavesdropping

Another issue for VoIP systems is eavesdropping. If your traffic is sent unencrypted, for example, it’s possible for motivated attackers to “listen in” on any call made. The same goes for former employees who haven’t been properly removed from the VoIP system or had their login privileges revoked. Eavesdropping allows malicious actors to steal classified information including phone numbers, account PINs and users’ personal data. Impersonation is also possible – hackers can leverage your VoIP system to make calls and pose as a member of your company. Worst case scenario? Customers and partners are tricked into handing over confidential information.

Handling this security threat means developing policies and procedures that speak to the nature of the problem. IT departments must regularly review who has access to the VoIP system and how far this access extends. In addition, it’s critical to log and review all incoming and outgoing calls.

IV – Vishing

According to the Government of Canada’s “Get Cyber Safe” website, another emerging VoIP threat is voice phising or “vishing”. This occurs when malicious actors redirect legitimate calls to or from your VoIP network and instead connect them to online predators. From the perspective of an employee or customer the call seems legitimate and they may be convinced to provide credit card or other information.

Spam over Internet Telephony (SPIT) is also a growing problem; here, hackers use your network to send thousands of voice messages to unsuspecting phone numbers, damaging your reputation and consuming your VoIP transmission capacity. To manage this issue, consider installing a separate, dedicated internet connection for your VoIP alone, allowing you to easily monitor traffic apart from other internet sources.

V – Call fraud

The last VoIP risk comes from the call fraud, also called toll fraud. This occurs when hackers leverage your network to make large volume and lengthy calls to long-distance or “premium” numbers, resulting in massive costs to your company. In cases of toll fraud, meanwhile, calls are placed to revenue-generating numbers – such as international toll numbers – which generate income for attackers and leave you with the bill.

Call monitoring forms part of the solution here, but it’s also critical to develop a plan that sees your VoIP network regularly patched with the latest security updates. Either create a recurring patch schedule or find a VoIP provider that automatically updates your network when new security updates become available.

VoIP systems remain popular thanks to their ease-of-use, agility and global reach. They’re not immune to security issues – but awareness of common threats coupled with proactive IT efforts helps you stay safely connected.

Sheldon Smith
Sheldon Smith is a Senior Product Manager at XO Communications. XO provides services such as: Hosted PBX, VoIP, SIP Services, and more. Sheldon has an extensive background in unified communications. Sheldon is know for being strategic minded and for his ability to steer projects to completion.

1 Comment
Inline Feedbacks
View all comments
3 years ago

There are a number of different ways that you can support your team through the transition to VoIP. Set up an in-person training and make sure that all team members have access to training manuals, tutorials, and videos before you completely switch over.