Business Phone Security Threats to VoIP and What to do about Them
VoIP and Security: What You Need to Know to Keep Your Business Communications Safe Like other Internet-based applications, VoIP services are vulnerable to exploitation by unscrupulous individuals who wish to do everything from committing call fraud on your VoIP service account to completely shutting down your communications server. VoIP security measures are still in development, and while they may have come quite a way from using unencrypted or plain script log in name and password procedures, there is still a lot of work to be done before a fool-proof security protocol is in place for VoIP systems. To protect your business from VoIP threats, you must know what they are. Here s a list of the most common VoIP security threats: Denial of Service Attacks Call Fraud Eavesdropping Phreaking Call Hijacking Malware and Viruses Denial of Service Attack Hackers and unscrupulous individuals can literally bring a business s website or VoIP service to a complete halt with a Denial of Service (DoS) attack. A DoS attack is when a network or server is overloaded or flooded with information and data packets. This consumes all of the servers available bandwidth, and prevents incoming and outgoing VoIP calls from occurring. A VoIP server overload, for instance, is done by flooding the service with Session Initiation Protocol (SIP) call-signaling messages. With VoIP, the more bandwidth that is used up, the lower the quality of the call. When this happens, voice signals can halt, or it can cause jitter, or worse, drop business calls all together. Business Phone Security Compare Business Products 2013 2
Once the system is completely over taken by the DoS attack, a hacker can gain remote control of a mainframe, or administrative servers and cause all sorts of problems for a business, from credit card theft to abusing the VoIP services to make expensive phone calls on your business s service account. VoIP Call Fraud Call fraud, in it s simplest form, involves someone tapping into a VoIP line and using it to make unauthorized calls. There are two main types of call fraud; eavesdropping, and phreaking. Eavesdropping Eavesdropping is when hackers tap into VoIP phone calls and listen in to get the names of employees, their passwords, phone numbers, and other information that they use to gain access to voice mail, calling plan information, and billing information. Eavesdropping on VoIP calls is used in identity theft, VoIP service theft (also called VoIP fraud), and corporate sabotage. Phreaking Phreaking is the process of illegitimately gaining access to a business s VoIP service provider information, including account numbers, access codes and so on, and illegitimately adding phone lines to make phone calls, or making calls on existing business VoIP lines and racking up a huge provider bill. Man-in-the-Middle Attack In a man-in-the-middle attack, a hacker has a program that acts as the client s server, and also tells the server that it is the client, so that they can intercept all incoming data packets. This allows a hacker to get a hold of a voice message or other information sent via VoIP and change it prior to retransmitting it. Business Phone Security Compare Business Products 2013 3
VoIP Tampering and Call Hijacking VoIP call tampering is when data packets, called noise packets, are sent to interrupt the communication stream, causing poor call quality, dropped calls, and delays in voice signal. VoIP call signals can be intercepted by a third party, who then changes the encryption key of the digital signature of the call, to their own public key. Doing so tricks the servers into thinking that the two original parties of the VoIP call are still in communication, and allows the hacker to cause serious communication problems. This is also some times called Phishing over VoIP. Malware, Worms, and Viruses Since VoIP uses software and soft phones, it is vulnerable to attack by malware, or malicious software, worms, and other computer program viruses. These viruses are often used to enslave a computer system so that the third party can use it to send spam email or other types of malicious data. Some worms outright destroy information and make it impossible to recover, or they can trace key strokes or data entry,and send this information to a third party which uses it to gain remote access to a business computer or phone system, where they can copy sensitive files, get credit card numbers, and so on. VoIP Security Measures Encryption Most VoIP providers offer secure encryption services. To get the best use out of encryption software, make sure that password and encryption measures are enabled on your business s VoIP. These types of encryption codes are called authentication protocols. Authentication Protocols VoIP Authentication protocols run from the typical password authentication procedure to a complex three-way authentication process that protects the server and the business using VoIP from malicious attacks. Business Phone Security Compare Business Products 2013 4
Password Authentication Procedure (PAP), also called the Two-way Handshake, sends a password across an Internet link. Essentially it tells the authenticator program of the server the user name and password entered by the end user. If the password matches what the server has on file, access is granted and a VoIP phone call can take place. If the password doesn t match, the server rejects the request and access to starting a VoIP call is denied. PAP is a simple two-way protocol that can easily be exploited due to the fact that often the user name and password aren t suitably disguised, or encrypted by applications prior to the information being sent to the server in a data packet. Challenge, Handshake Authentication Protocol (CHAP) The calling client (the person s computer or soft phone that is initializes a VoIP call by sending out data) links with the authenticator application located in the VoIP server. The authenticator uses a three step process, also called a Three-way handshake, to determine if the sent data is legitimate and if it should grant access or not. Step 1. Challenge The authenticating server makes a simple text message or data packet and sends it back to the calling client. Step 2. Response The calling client sends a password or other code that the authenticator knows, and encrypts the message sent during the challenge phase, and sends it back to the server authenticator. Step 3. Success or Failure The server authenticator encrypts the challenge text and sees if its results match what the calling client sent back. If it does, the calling client has the correct password (in this case, the encryption key) and the authenticator sends a success message and grants access so that an NCP Link can be established Business Phone Security Compare Business Products 2013 5
and a VoIP phone call is hosted by the server. If the encrypted messages don t match, a failure message is sent, access is not granted, and the link is not formed so that a VoIP call can be made. Anti-Virus Software Since VoIP softphones are a part of office computers, it is necessary to protect them from harmful viruses and other programs that third parties may send to your employee s email inbox in an attempt to get them to download the attachment, which installs their malicious software and allows them to gain control of your VoIP network. Viruses can attack networks and interrupt, and even stop VoIP services. Most often this is done by attacking security protocols that you put into place. Installation and maintenance of anti-virus and anti-malware software programs, such as firewalls, protect VoIP hardware from coming under attack by third parties. Deep Packet Inspection Deep Packet Inspection (DPI) is a packet filtering method that locates, identifies and classifies data packets. It can then reroute or even block incoming packets that have an unidentified code or forbidden data payloads to deter unauthorized use of an LAN or VoIP network. DPI protocols check all incoming media and signaling streams, and all outgoing media streams for altered or inserted data A DPI system often works best when used in conjunction with firewalls to deter intruders. The challenge message of the CHAP changes frequently, and your VoIP server can request authentication at any timne during use,. packets with deep packet inspection programs. When they are found, the data packets are flagged. VoIP service providers have protocols in place that classify flagged data packets in high to low priority ratings and routes them accordingly. High priority flags may be rerouted or completely Business Phone Security Compare Business Products 2013 6
prevented from being received by the client caller. VoIP providers also use DPI to throttle, or cap, data transfer rates, to improve network performance, and to stop peer-to-peer abuse that may occur during VoIP fraud. Unfortunately, DPI isn t a perfect solution to VoIP security threats as it can create weak areas in networks that are easy for hackers to attack and use DoS attacks or malware to forcibly stop communication between the VoIP server and your computer. Session Border Controllers (SBC) Essentially, SBCs act as firewalls for VoIP. Session border controllers are devices used in VoIP networks to control media streams and protocol signals that start, conduct, and stop VoIP voice calls. SBCs also adhere to quality of service protocols (QoS) to ensure that all VoIP calls are safe, and that they have the best voice quality possible. Stringent Authorization Policies Other ways to keep your VoIP lines secure are to perform audits, and create call restrictions. Audit admin accounts and employee user sessions to keep track of their activities on your VoIP lines. Doing so will allow you to ensure that none of them have been tapped or accessed by unauthorized entities and used for unscrupulous purposes. Restrict VoIP Calls to Prevent Abuse Secure the configuration of your business VoIP apps by creating white lists of country codes that employees can call with your VoIP lines. This type of call restriction list prevents toll fraud and other types of unauthorized use from occurring. Be sure to have your network administrator configure VoIP settings so that only the country codes on your list are used, and enable call restrictions within your Business Phone Security Compare Business Products 2013 7
VoIP network in order to keep your VoIP service as secure as possible By utilizing the VoIP security tools and control protocols that are available today, you will ensure that your business s Internet-based telecommunications will be kept up and running, and that sensitive, proprietary information will remain in the right hands for years to come. Expert Bio Alexis Rohlin has written for Chron.com, the San Francisco Chronicle s SFGate Home, ehow.com, and WISEGeek.com. Rohlin holds a Bachelor of Fine Arts degree in English from Madonna University, with a background in telephony and computer sciences. Business Phone Security Compare Business Products 2013 8
References Unuth, Nadeem. Security Threats In VoIP. About.com. Retrieved December 19, 2013 http://voip.about.com/od/security/a/secuthreats.htm Man in the middle attack (fire brigade attack). Tech Target. Retrieved December 19, 2013 http://searchsecurity.techtarget.com/definition/man-in-the-middle-attack Jungck, Peder. VoIP Fraud: Scenarios and Solutions TMC NET. Retrieved December 19, 2013 http://www.tmcnet.com/voip/0306/featurearticle-voip-fraud.htm VOIP Security. VoIP Info.org. Retrieved December 19, 2103. http://www.voip-info.org/wiki/view/voip+security Piscitello, David. How to Protect Your VoIP Network. Network World. Retrieved December 21, 2013. http://www.networkworld.com/research/2006/051506-voip-guide-security.html?page=3 Rouse, Margaret. CHAP (Challenge-Handshake Authentication Protocol) Tech Target. Retrieved December 22, 2013 http://searchcio-midmarket.techtarget.com/definition/chap Janssen, Cory. Deep Packet Inspection (DPI). Techopedia. Retrieved December 22, 2013. http://www.techopedia.com/definition/24973/deep-packet-inspection-dpi Business Phone Security Compare Business Products 2013 9