Phone hackers are exploiting VoIP. Here’s how to protect your business.

Thought Leadership on VOIP/Telecommunications presented by Chesapeake Telephone Systems.

With the wide adoption of Voice-over-IP technology, phone hacking continues to evolve. It’s costing businesses billions of dollars annually in lost productivity and higher phone bills. Typically, there’s no escape — many carriers expect the victims to pay for fraudulent calls in full.

Decades ago, “phreakers” were able to access Ma Bell’s telephone network using a “blue box” to make free local and long-distance calls. The box simulated the same tones used by telephone operators’ dialing consoles to originate and complete calls. Then the phone phreaks discovered how to break into corporate PBXs to make free calls.

Today, hackers continue to wreak havoc on traditional phone systems, but with the popularity of VoIP phone systems, hackers have a new playground. That’s because the Internet and IP-based technologies suffer from a growing list of security vulnerabilities, offering hackers a variety of new attack vectors.

Tallying the damage

Since an IP phone system typically shares the same data network as other IT systems, a breach of the phone system can lead to a breach of other IT systems as well. The ramifications can go well beyond making huge numbers of calls at your expense…

As of 2015, organizations lost $3.93 billion to PBX hacking, according to the latest annual survey conducted by the Communications Fraud Control Association. Coming in a close second were losses to IP Phone System hacking, which amounted to $3.53 billion. Collectively that’s $7.46 billion in annual losses!

Types of attacks

Although there are many variations of the attacks that can be launched against traditional PBX and VoIP phone systems, here are a few of the most common and damaging attacks inflicted on businesses.

Toll fraud can be launched in several ways. With a VoIP system, for example, hackers can break into the call control functions of a SIP server. Once connected, they can query the SIP options to understand the capabilities of the attacked server and use this information to generate thousands of dollars in junk sales calls. Other attack vectors include poorly configured routers that accept incoming call setups from any source IP address, IP Phones with outdated firmware, and network switches that are set up once and then forgotten.

Eavesdropping on phone calls can yield big dividends to hackers, especially if the targets are financial institutions, professional services firms, and government agencies. Of growing interest to hackers is listening in on call center activity. Whether a traditional standalone call center or one added on to a VoIP phone system, confidential account information, health records, and payment card data are routinely discussed. Conference rooms are also coming under attack because of the sensitive nature of executive level conversations that occur there. Tools for capturing voice and video communications are widely available and shared within the hacker community.

Voicemail hacking is also potentially lucrative and usually involves spoofing a caller ID and applying a brute force technique to arrive at valid PINs. A successful breach allows unauthorized calls from that user extension as well as international calls through the voice-mail platform. Access to private voice mails can expose the private information of corporate and government decision-makers. This can be used to harm, embarrass or blackmail targeted individuals and their organizations.

Softphone hacking is done by capturing wireless traffic to discover a user’s authentication information so the hacker can re-create the softphone account to eavesdrop on phone calls and make unauthorized calls on that account. With access to a real softphone – one that will appear legitimate to the target of a social engineering ploy – there is virtually no limit to the damage that can be perpetrated on the organization by a determined hacker.

Denial of service attacks are attempts to disable the functionality of the VoIP system to prevent legitimate calls from being processed, as opposed to gaining operational control. The target of the DoS attack is usually the SIP server, so taking steps to prevent unauthorized access is of paramount importance.

8 preventive measures

The good news is that there are measures you can take now to ensure your phone system stays protected against the bad guys…

  1. When installing new phone equipment and network devices, change the passwords from the default settings.
  2. Do not use easy-to-guess passwords and avoid the use of a phone number or extension as the system password. If your password is easy to remember, then it offers little or no security. Use a random number generator to design an effective password.
  3. If you have more than one administrator accessing the telephone system or any IT system, make sure they use unique access credentials.
  4. Whenever IT staff members leave the organization, immediately disable their access credentials to phone systems, computers and management tools.
  5. Ask your service provider about its fraud monitoring capability; specifically, if it has real-time toll-fraud mitigation in place that will stop suspicious calls. The service provider should contact you to verify if the flagged calls are legitimate. Also, ask how the service provider deals with Denial of Service attacks.
  6. Routinely review itemized telephone invoices for any anomalies; if your organization does not call certain international locations, for example, set up the phone system to disallow outbound calls to these locations.
  7. Make sure phone system and voice application software is kept up to date. If you subscribe to cloud voice, this should be done by the provider as part of its hosted VoIP service.
  8. Consider using end-to-end encryption to protect sensitive VoIP conversations. This feature may be added to the premises IP Phone system with encryption software, or offered by a cloud voice provider as an add-on to its hosted VoIP service. In essence, end-to-end encryption provides a secure virtual private network (VPN) connection that protects the privacy of conversations.

Larger VoIP networks may need to take a more granular approach to security. The more devices and protocols used, the more extensive the threat landscape becomes.

VoIP is here to say

VoIP offers several compelling benefits over traditional telephony. These advancements do not come without a cost and require greater effort, planning, and vigilance to ensure high availability and security. Fortunately, end users and businesses can significantly reduce the risks with proactive measures. In addition, VoIP providers and hardware makers are more aware of the security implications behind their services and products. When businesses and providers are both engaged in the fight, they can effectively thwart the bad guys.

Click here for more Thought Leadership on VOIP/Telecommunications from Chesapeake Telephone Systems.

Jeff Nolte is President of Chesapeake Telephone Systems in Millersville, Maryland. He can be reached at 410-850-4848 or jnolte@CTSmd.us