Is VoIP Secure?Posted on: 2016-04-18 | Categories: VoIP VoIP Providers VoIP Services
Are you wondering if VoIP is secure? One casualty of the rapid pace of innovation in the technology industry is usually security. New products, services and applications are frequently launched and promoted to enterprises even though they lack basic security features. Sometimes the product itself might be inherently secure but inexperience with implementation means that particular deployments could be extremely vulnerable to exploits.
In their eagerness to utilize the latest and greatest, individuals and even large corporations ignore security until a breach occurs. However as more enterprises adopt VoIP systems, the concerns regarding VoIP security are increasing correspondingly. Companies are asking a variety of questions before diving into VoIP – is VoIP secure? Can we make it more secure?
Is VoIP insecure?
What do we mean by this question? Basically this means that organizations are asking if VoIP technology by itself (regardless of the actual implementation) is inherently insecure. In order to answer this question, we need to understand the basic premise of VoIP which is that voice calls are routed over data networks instead of dedicated copper lines.
Whether you purchase hosted VoIP services from an external contractor or deploy your own on premise/turnkey solution, internal calls between employees of the same company are usually free. This is because no part of the call travels over the public PSTN or even the Internet in many cases. Calls between employees within the same office usually travel through the enterprise LAN, which means that VoIP is as secure as any other internal application.
In many ways VoIP is just as secure as the regular PSTN which has also suffered its share of hacking attacks in the past. But perhaps the most important aspect that many companies seem to forget is that VoIP is subject to the same sort of exploits and attacks that befalls other forms of Internet communication/media transfer.
Common Internet exploits and attacks
Encryption is not the be-all and end-all of security measures but it does solve a lot of problems. Currently the majority of VoIP traffic is unencrypted and sent over the public Internet which means that it is vulnerable to eavesdropping. Attackers can easily utilize a packet sniffing/capture tool, record entire calls and then decipher them later. This is basically the equivalent of top level executives talking about company strategy in the mailroom where anyone can overhear them, instead of the board room.
Another vulnerability is that VoIP can be subject to denial of service and man in the middle attacks. A hacker can easily bombard your VoIP server with hundreds or even thousands of requests instantaneously so that it is unable to handle the load and shuts down. Imagine if your customers cannot access your support services for a couple of hours, it could spell disaster for many businesses.
A man in the middle attack can be even more dangerous under the right set of circumstances. An external entity can intercept incoming calls from customers and get their personal information, credit card information and even Social Security numbers just by pretending to be your company’s tech support or customer service. All this while, the customer thinks they have talked to a legitimate representative. So you end up with multiple problems – the customer’s issue is not resolved, they have lost their sensitive financial information and you may have lost a crucial client.
VoIP security solutions
Each VoIP deployment is unique and hence the means of securing it will also vary considerably. Nevertheless there are a few techniques that can be implemented to make VoIP deployments more secure than they are at present.
Encryption is only one piece of the puzzle but it should be enabled by default and not as an afterthought. There are various technical solutions that work on authorization and authentication i.e. only particular devices can access the VoIP server or accounts may be protected by adequately strong passwords etc. All of these should be implemented correctly so that they themselves cannot be compromised and used as a point of entry into the system.
In addition to this, businesses can also install monitoring and detection software that can identify anomalies in the regular VoIP traffic and alert administrators as required. This way security breaches are identified instantly and you don’t find out one morning that thousands of illegal long-distance calls have been charged to the business.
Yet another piece of the puzzle is user awareness and training which is often forgotten by companies. Attackers do not need sophisticated tools if they can simply steal a phone or account credentials! Employees should be trained to use unique passwords and change them every few months to decrease the chances of compromising them. Additionally, they should not give out their password to whoever asks for it, even if it is a colleague or their boss.
By implementing all or a combination of multiple security solutions, organizations will be able to better protect their VoIP systems, devices and even users from security attacks and breaches.