Business Phone Security
Threats to VoIP and What to do
Title
Title
VoIP and Security: What You Need to Know to Keep Your
Business Communications Safe
Like other Internet-based applications, VoIP services are vulnerable to exploitation by unscrupulous individuals who wish to do everything from committing call fraud on your VoIP service account to completely shutting down your communications server. VoIP security measures are still in development, and while they may have come quite a way from using unencrypted or plain script log in name and password procedures, there is still a lot of work to be done before a fool-proof security protocol is in place for VoIP systems.
To protect your business from VoIP threats, you must know what they are. Here’s a list of the most common VoIP security threats:
•
Denial of Service Attacks•
Call Fraud•
Eavesdropping•
Phreaking•
Call Hijacking•
Malware and VirusesDenial of Service Attack
Hackers and unscrupulous individuals can literally bring a business’s website or VoIP service to a complete halt with a Denial of Service (DoS) attack. A DoS attack is when a network or server is
overloaded or flooded with information and data packets. This consumes all of the servers available
Title
Title
Once the system is completely over taken by the DoS attack, a hacker can gain remote control of a mainframe, or administrative servers and cause all sorts of problems for a business, from credit card theft to abusing the VoIP services to make expensive phone calls on your business’s service account.
VoIP Call Fraud
Call fraud, in it’s simplest form, involves someone tapping into a VoIP line and using it to make unauthorized calls.
There are two main types of call fraud; eavesdropping, and phreaking.
Eavesdropping
Eavesdropping is when hackers tap into VoIP phone calls and listen in to get the names of employees, their passwords, phone numbers, and other information that they use to gain access to voice mail, calling plan information, and billing information. Eavesdropping on VoIP calls is used in identity theft, VoIP service theft (also called VoIP fraud), and corporate sabotage.
Phreaking
Phreaking is the process of illegitimately gaining access to a business’s VoIP service provider information, including account numbers, access codes and so on, and illegitimately adding phone lines to make phone calls, or making calls on existing business VoIP lines and racking up a huge provider bill.
Man-in-the-Middle Attack
In a man-in-the-middle attack, a hacker has a program that acts as the client’s server, and also tells the server that it is the client, so that they can intercept all incoming data packets. This allows a hacker to get a hold of a voice message or other information sent via VoIP and change it prior to retransmitting it.
Title
Title
VoIP Tampering and Call Hijacking
VoIP call tampering is when data packets, called noise packets, are sent to interrupt the communication stream, causing poor call quality, dropped calls, and delays in voice signal. VoIP call signals can be intercepted by a third party, who then changes the encryption key of the digital signature of the call, to their own public key. Doing so tricks the servers into thinking that the two original parties of the VoIP call are still in communication, and allows the hacker to cause serious communication problems. This is also some times called Phishing over VoIP.
Malware, Worms, and Viruses
Since VoIP uses software and soft phones, it is vulnerable to attack by malware, or malicious software, worms, and other computer program viruses. These viruses are often used to “enslave” a computer system so that the third party can use it to send spam email or other types of malicious data. Some worms outright destroy information and make it impossible to recover, or they can trace key strokes or data entry ,and send this information to a third party which uses it to gain remote access to a business
computer or phone system, where they can copy sensitive files, get credit card numbers, and so on.
VoIP Security Measures
Encryption
Most VoIP providers offer secure encryption services. To get the best use out of encryption software, make sure that password and encryption measures are enabled on your business’s VoIP. These types of encryption codes are called authentication protocols.
Authentication Protocols
Title
Title
Password Authentication Procedure (PAP), also called the Two-way Handshake, sends a password across an Internet link. Essentially it tells the authenticator program of the server the user name and
password entered by the end user. If the password matches what the server has on file, access is
granted and a VoIP phone call can take place. If the password doesn’t match, the server rejects the request and access to starting a VoIP call is denied.
PAP is a simple two-way protocol that can easily be exploited due to the fact that often the user name and password aren’t suitably disguised, or encrypted by applications prior to the information being sent to the server in a data packet.
Challenge, Handshake Authentication Protocol (CHAP)
The calling client (the person’s computer or soft phone that is initializes a VoIP call by sending out data) links with the authenticator application located in the VoIP server. The authenticator uses a three step process, also called a Three-way handshake, to determine if the sent data is legitimate and if it should grant access or not.
Step 1. Challenge
The authenticating server makes a simple text message or data packet and sends it back to the calling client.
Step 2. Response
The calling client sends a password or other code that the authenticator knows, and encrypts the message sent during the challenge phase, and sends it back to the server authenticator.
Step 3. Success or Failure
The server authenticator encrypts the challenge text and sees if its results match what the calling client sent back. If it does, the calling client has the correct password (in this case, the encryption key) and the authenticator sends a “success” message and grants access so that an NCP Link can be established
Title
Title
and a VoIP phone call is hosted by the server.
If the encrypted messages don’t match, a failure message is sent, access is not granted, and the link is not formed so that a VoIP call can be made.
Anti-Virus Software
Since VoIP softphones are a part of office computers,
it is necessary to protect them from harmful viruses and other programs that third parties may send to your employee’s email inbox in an attempt to get them to download the attachment, which installs their
malicious software and allows them to gain control of your VoIP network. Viruses can attack networks and interrupt, and even stop VoIP services. Most often this is done by attacking security protocols that you put into place. Installation and maintenance of anti-virus and anti-malware software programs,
such as firewalls, protect VoIP hardware from coming under attack by third parties.
Deep Packet Inspection
Deep Packet Inspection (DPI) is a packet filtering method that locates, identifies and classifies data packets. It can then reroute or even block incoming packets that have an unidentified code or forbidden
data “payloads” to deter unauthorized use of an LAN or VoIP network. DPI protocols check all incoming media and signaling streams, and all outgoing media streams for altered or inserted data packets with deep packet inspection programs. When they are found, the data packets are
flagged.
VoIP service providers have protocols in place
The “challenge” message
of the CHAP changes
frequently, and your
VoIP server can request
authentication at any
timne during use,.
A DPI system often works
best when used in
Title
Title
prevented from being received by the client caller. VoIP providers also use DPI to throttle, or cap, data transfer rates, to improve network performance, and to stop peer-to-peer abuse that may occur during VoIP fraud.
Unfortunately, DPI isn’t a perfect solution to VoIP security threats as it can create weak areas in networks that are easy for hackers to attack and use DoS attacks or malware to forcibly stop communication between the VoIP server and your computer.
Session Border Controllers (SBC)
Session border controllers are devices used in VoIP networks to control media streams and protocol signals that start, conduct, and stop VoIP voice calls. SBCs also adhere to quality of service protocols (QoS) to ensure that all VoIP calls are safe, and that they have the best voice quality possible.
Stringent Authorization Policies
Other ways to keep your VoIP lines secure are to perform audits, and create call restrictions.
Audit admin accounts and employee user sessions to keep track of their activities on your VoIP lines. Doing so will allow you to ensure that none of them have been “tapped” or accessed by unauthorized entities and used for unscrupulous purposes.
Restrict VoIP Calls to Prevent Abuse
Secure the configuration of your business’ VoIP apps by creating white lists of country codes that
employees can call with your VoIP lines. This type of call restriction list prevents toll fraud and other
types of unauthorized use from occurring. Be sure to have your network administrator configure VoIP
settings so that only the country codes on your list are used, and enable call restrictions within your
Essentially, SBCs act as
firewalls for VoIP.
Title
Title
VoIP network in order to keep your VoIP service as secure as possible
By utilizing the VoIP security tools and control protocols that are available today, you will ensure that your business’s Internet-based telecommunications will be kept up and running, and that sensitive, proprietary information will remain in the right hands for years to come.
Expert Bio
Alexis Rohlin has written for Chron.com, the San Francisco Chronicle’s SFGate Home, eHow.com, and WISEGeek.com. Rohlin holds a Bachelor of Fine Arts degree in English from Madonna University, with a background in telephony and computer sciences.
Title
Title
References
Unuth, Nadeem. “Security Threats In VoIP”. About.com. Retrieved December 19, 2013 http://voip.about.com/od/security/a/SecuThreats.htm
“Man in the middle attack (fire brigade attack).” Tech Target. Retrieved December 19, 2013 http://searchsecurity.techtarget.com/definition/man-in-the-middle-attack
Jungck, Peder. “VoIP Fraud: Scenarios and Solutions” TMC NET. Retrieved December 19, 2013 http://www.tmcnet.com/voip/0306/featurearticle-voip-fraud.htm
“VOIP Security.” VoIP Info.org. Retrieved December 19, 2103. http://www.voip-info.org/wiki/view/VOIP+Security
Piscitello, David. “How to Protect Your VoIP Network”. Network World. Retrieved December 21, 2013. http://www.networkworld.com/research/2006/051506-voip-guide-security.html?page=3
Rouse, Margaret. “CHAP (Challenge-Handshake Authentication Protocol)” Tech Target. Retrieved December 22, 2013
http://searchcio-midmarket.techtarget.com/definition/CHAP
Janssen, Cory. “Deep Packet Inspection (DPI).” Techopedia. Retrieved December 22, 2013.