VoIP Security Vulnerabilities: Should You Worry?

Posted on: 2019-10-04 | Categories: VoIP Services

IT security has been a major topic of concern for organizations over the last decade. But for a long time, security was not a critical element in VoIP systems. Most businesses were concerned about cost, features, and reliability. This attitude is, in part, a holdover from the previous generation of phone systems. It wasn’t very common for criminals to eavesdrop on phone calls. Even the police needed warrants to tap phones.

Should You Worry about Your Phones?

But the situation with VoIP is very different. You don’t need a lot of expertise or equipment to hack VoIP phone systems. Security incidents involving VoIP phones or equipment are on the rise. Coupled with the shift towards hosted VoIP services, organizations are rightfully worried about vulnerabilities. Quite a few businesses have found out that it’s just as important to secure the phones as other IT equipment. 

Why Criminals Target VoIP Systems

You may be curious as to why hackers target VoIP phones. After all, it’s just a phone. They can’t get anything useful if calls are encrypted right? Wrong. Encryption is often touted as a silver bullet for all security issues. But criminals target VoIP systems for several reasons:

Exfiltrating data

Criminals can exploit existing vulnerabilities to steal confidential information. Given the right conditions, they can record calls and eavesdrop on conversations. Imagine the consequences if unauthorized users were able to listen in on corporate discussions!

Infiltrating corporate networks with malware

In this scenario, hackers are more interested in infecting your system with malware. VoIP phones often share the same network as other enterprise applications. Hackers can use the phones as a landing point. Once they’re inside the system, they can target other devices.

Holding the phone system to ransom

VoIP phones inherit the security vulnerabilities of your data networks. Hackers can bring your phone system to a screeching halt through a DDoS attack (Distributed Denial of Service). They can tie up your phones with spam messages or voice phishing incidents. Criminals can even threaten to shut down your phone system if you don’t pay the ransom.

In short, anything that can happen to your computers and servers can happen to your phones as well.

Perpetrate call fraud

Call fraud is becoming a common way for hackers to compromise VoIP systems. They can gain access to your system through social engineering or stealing passwords. Once inside, they use your account to make thousands of long-distance calls to pay numbers. They collect the fees for incoming calls. Unfortunately, your business will be on the hook paying the bill to the service provider.

How Can You Protect Phones?

Fortunately, there are some measures you can use to protect the phones. The first step is to reconsider your attitude towards VoIP phones. They are more than just a phone. Think of them as computers that can make phone calls. This is a more accurate description of VoIP equipment in general.

Once you start thinking this way, you’ll realize that these phones have several vulnerabilities. You have to protect the hardware, the software, the network, and other applications. Most businesses already have a security program for IT equipment. The program should also cover VoIP phones. Consider adding the phone system to your existing backup/emergency plan as well.

Here are a few things you can do to secure VoIP phones:

  • Evaluate your IT infrastructure before implementing VoIP. Fix any vulnerabilities before adding VoIP on top.
  • Check that equipment like firewalls understand VoIP protocols. You may have to upgrade the software or replace older equipment altogether.
  • Can your network handle VPN? Mandating VPN use for outside connections is a good way of protecting the system.
  • Make sure that all your equipment has the latest patches and security updates. This should include VoIP servers, phones, and other hardware.
  • Do you have a security awareness and training program? Ensure that VoIP equipment is included as part of the program. Your employees should know that general security tips like protecting passwords apply to the phones as well.
  • Encryption is not sufficient to protect your phones. But it is a necessary first step. Confirm with your vendor that all calls are encrypted.
  • Monitor your network in real-time. You may be able to spot problems and remediate them before they snowball into bigger issues.

Does It Work?

As with other security measures, nothing is ever 100% perfect. For example, researchers recently found a decade-old vulnerability in VoIP phone systems. It happened because the company used an unpatched version of open source code in their system. 

From a business perspective, there is very little you can do about it. Nevertheless, the company has issued a software update that patches the vulnerability. If you have a proper update schedule, your phones will also be protected. Otherwise, hackers would be able to exploit that vulnerability. Sometimes it’s about staying one step ahead of the criminals, rather than eliminating the problem.