By Bev Robb, IT consultant
More businesses than ever are jumping on the Voice over IP (VoIP) bandwagon today. Aside from significant cost savings (when compared to traditional phone services), VoIP also offers many value-added features such as voicemail-to-email transcription, barge and whisper service, call screening, conferencing, music on hold, find me/follow me call routing, portability, and increased flexibility and mobility for employees that are always on the move or required to travel.
Although VoIP’s advantages have plenty to offer the business world, there is also the need for companies to secure voice technology. While the 2015 cyberthreat landscape is beginning to look even more stealth and treacherous than last year, let’s not forget that 2014 was dubbed “the year of the breach.”
When it comes to securing VoIP, it is time for businesses to go beyond basic compliance and become proactive in securing VoIP technology from hackers. Since VoIP packets flow over the network (just like data packets do), sensitive corporate information could be intercepted. Some of the same threats that affect data networks can also affect VoIP.
Other threats that can affect VoIP systems are:
- Conversation eavesdropping/sniffing
- Default passwords
- Hacked voicemail
- Identity spoofing
- Man-in-the-middle exploits.
- Denial of Service (DoS) attacks
- Toll fraud
- Web-based management console hacks.
The Shodan search engine
Recently, I ran a query on Internet-connected devices from the Shodan search engine— I was amazed when I discovered that beyond public-facing servers and devices — banners for voice-over-IP (VoIP) SIP servers were also prevalent. While digging around in search, I discovered a U.S. government agency that is using an out-dated Cisco TelePresence Video Communication Server, and if I was a malicious hacker, I would be thrilled to know that this particular server contains two serious vulnerabilities.
If you are wondering what Shodan is — it is an Internet search engine that helps you to find vulnerable device targets. It has been described as a search engine for hackers; an IoT device search engine; a tool for IT pros and hackers; and frequently described as the scariest search engine on the Internet.
Null Byte states that “Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems, and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface, Shodan can find it!”
If you want to find out if your VoIP system may be vulnerable, you can check out the Shodan search engine here and input net:your.ip.add.ress in the search box.
Hackers for hire
Identity theft expert, Robert Siciliano recently wrote about “hackers for hire” who currently operate a website (launched last November) called Hacker’s List. There are also hackers for hire on the Darknet (and plenty of them too), in both the marketplace and on secret forums that offer VOIP hacking services. With so much hacker availability, securing and monitoring your voice network is mandatory.
While hackers are continually discovering new ways to attack VoIP systems, there are some established favorite approaches. Also known as ‘footprinting,’ these techniques rely on information that unsuspecting VoIP users make publicly available.1
Social media sites (LinkedIn, Facebook), job sites, company websites, web searches, web crawlers (HTTrack), etc. can be used to gather publicly available information about an organization’s business, employees, and network.
Company job postings can contain a plethora of information about internal network systems and often can become an asset for a hired hacker. If you are going to write a job description, try to avoid footprinting. As an example:
Footprinting: He or she will also be responsible for integrating the SHORETEL VoIP system with CISCO VoIP.
No footprinting: He or she will also be responsible for integrating VoIP (SIP) servers, infrastructure, and applications.
Let’s get back to VoIP security…
VoIP security is a challenge for many companies, but the bottom line is: VoIP security should operate on the same rung as network data security — both forms of data contain valuable information. Remember this: The bad guys never sleep; they are always looking for new and innovative ways to hack into business VoIP systems.
Best security practices should include:
1- Separating data traffic from voice traffic by creating two virtual VLANs.
2- Protecting the remote admin interface with a complex password and non-standard port.
3- Encrypting sensitive voice traffic:
4- Using Secure Session Internet Protocol (SIPS) for protection from eavesdropping and tampering.
5- Applying physical and logical protection: The VoIP server should be behind a SIP-aware firewall and intrusion prevention system (IPS).
6- Creating user names that are different from their extensions.
7- Keeping VoIP systems always up-to-date and patched.
8- Limiting calling by device.
9- Using encryption to secure calls.
10- Setting strong security policies.
11- Utilizing traffic analysis and deep packet inspection (DPI).
12- Properly securing VoIP gateways.
13- Using a strong voicemail 6-digit passcode or device certificate.
14- Deleting sensitive voicemail messages.
15- Removing mailboxes when employees leave the company.
16- Limiting invalid login attempts.
17- Restricting type of calls allowed on the network and implementing time of day policies.
18- Disabling international calls by default.
19- Security awareness training for employees.
20- Requesting that all employees report odd occurrences.
With hacking and ongoing data breaches playing a strong lead in the headlines lately, what other security strategies should be implemented?
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
1Hadley, J. (2014, Sep. 29). Are You Vulnerable to Voice over IP Hacking? [Web log post]. Retrieved April 15, 2015, from http://www.cloudwedge.com/vulnerable-voice-ip-hacking/