Security issues you need to be aware of before considering VoIP
By Jim Carroll
Times used to be simpler when phone lines were just that, but today there are more and more companies moving to the more complicated VoIP (Voice over Internet Protocol) system for their phone lines. This is in part due to advances in technology, but also partly enforced by telecoms companies like Spark suggesting they won’t support the legacy phone lines in future.
While VoIP can work well in the right circumstances due to potential cost, flexibility and number portability advantages - you do need good IT support. In circumstances which aren’t optimal, it can end up being more expensive, more complicated and come with a range of security issues which need to be well thought out. Let’s take a look at the four main security issues below.
1. Denial of Service (DoS)
Hackers can use automatic phone dialler software which rapidly calls you and then hangs up, this is called a DoS attack and keeps your line busy so you cannot accept or make calls. Attacks like this can severely impact any businesses ability to communicate and can be extremely difficult to stop.
A recent example is an attack on the New Zealand Exchange (NZX) which shows how vulnerable businesses can be. One way to help protect your communication infrastructure is by using Session Border Controllers (SBCs) which act as a VoIP firewall. This protects your network by using a secure connection between you and your service provider and gives you more control over your VoIP calls and voice traffic.
2. The man-in-the-middle attack (MitM)
This is where someone can easily listen, divert or even hijack selected VoIP calls by putting themselves “in the middle” of the VoIP signalling path. This can happen when weak or no encryption mechanism is used on wireless access points, allowing unwanted users to join your network just by being nearby.
This can be one of the most serious threats, especially for those in industries where discussing private information is of the utmost importance, such as in legal or health sectors. Encryption and authentication protocols such as the TLS (Transport Layer Security) protocol can help with this.
3. Poor security protocols and passwords
Without good security protocols and strong passwords, system and user credentials are vulnerable to theft - making it easy to hack into online VoIP systems or phone hardware. This can lead to many issues, two of which include:
Phreaking - a type of hack which steals a service from a service provider while passing the cost along to another person. Commonly this is when your VoIP account is hacked and someone uses it to make calls which you pay for.
Vishing - where a legitimate number is hacked and then used by a party to call you and pretending to be from a trustworthy organisation, such as your bank, and asking for confidential or critical information.
To avoid this from happening, make sure you use 2-factor authentication where possible to access your online systems, never use your VoIP phone number or extension as the voicemail password (common defaults) and always change the default admin passwords on web-based phone hardware.
4. Caller ID Spoofing
Most VoIP providers will only allow you to use the caller ID of the lines you own, but some allow any number to be presented on their network which can cause problems. It is most commonly used where a business doesn’t present their main number but might instead present a tollfree number or their main number for customer callbacks.
However, this means it can also be used to emulate another party or business with the intent to defraud, cause harm or wrongfully obtain something of value. This makes it important to have a mechanism in place which only displays numbers which have been authenticated.
VoIP can be great in the right circumstances but people often jump in without considering the extra complications and security issues which don’t exist with a traditional phone line.
It’s best to go into VoIP with your eyes open and be aware of the risks, then you can use it effectively for your needs.