Most businesses adopt VoIP as a means by which to reduce costs and gain additional flexibility. But as the technology becomes more widespread, concerns are sometimes raised as to how secure it is. The threats that affect VoIP are partly those that affect any network-based systems, but there are also some that are unique to voice traffic. Let’s take a look at some of the main threats that target VoIP users.
Voice termination service theft
Perhaps the most worrying is service theft. This allows the attacker to make calls while passing the cost onto someone else. The most common way of doing this is via credential theft. It’s therefore essential to ensure that employees are alert to the risk of phishing attacks that may seek to obtain their login IDs.
Attackers can also try to obtain IDs via eavesdropping. This potentially allows not just the ability to make calls, but also to access voicemail or change forwarding options, in addition to allowing the theft of sensitive data. With access to an admin account, a hacker could also be able to change calling plans or add extra call time to a victim’s account.
Vishing is a type of phishing that applies specifically to phone users, not necessarily just VoIP. It is carried out by an attacker calling pretending to be from a trustworthy organisation, such as a bank, in order to try to obtain confidential information such as account access codes.
These attacks use social engineering techniques to lure the victims into a false sense of security. The attackers make considerable efforts to sound professional and convincing. We all like to think we are too smart to fall for scams like this, but the scammers are clever and will build confidence by quoting details including your name and address which you would expect legitimate callers to have. They will also seek to worry you by talking about suspicious transactions on your account or orders for expensive products that you haven’t made.
Malware and viruses
Just as with any other service that relies upon information technology, VoIP softphones and software are vulnerable to malware. They can be attacked by malicious code; this can attempt to steal information or simply disrupt the service, making it impossible to make or receive calls.
Malware has also been used to make certain VoIP systems vulnerable to eavesdropping. Whichever system you use it’s therefore vital that you ensure it’s up to date with the latest patches.
Distributed denial of service (DDoS) attacks are a form of malware aimed at preventing a service from accessing the internet. It does this by denying it access to bandwidth, usually by bombarding the server with more requests than it can handle. On VoIP systems, this can make it difficult to make calls or cause calls to drop out.
DDoS attacks are not always purely disruptive, They can be used as a cloak for other activity such as stealing information or getting control of system admin features. DDoS attacks are usually launched by networks of compromised machines known as botnets. Increasingly these botnets don’t even need to be PCs but can be made up of poorly secured internet of things devices such as routers or security cameras. Cybercriminals often have botnets available for rent on the dark web, so it can be quick and easy to launch an attack.
Spam over internet telephony (SPIT) is, as its name suggests, the VoIP equivalent of email spam. While it’s relatively rare at the moment, SPIT is likely to become more of a problem as VoIP spreads into the mainstream.
VoIP is already a valuable tool for unscrupulous telemarketers as it allows them to make calls at minimal cost and to disguise the origin of their calls by spoofing caller display systems. SPIT makes use of the IP address that every VoIP device must have in order to work, to send out voicemail messages. This leads to inboxes being clogged with lots of unwanted messages, making it hard for the user to get at the legitimate contents of their voicemail.
SPIT can also be used in conjunction with some of the other threats we’ve talked about, to distribute malware or to conduct phishing and vishing attacks by asking for confidential information.
Tampering with calls
VoIP systems can also fall prey to call tampering. This can be used to disrupt the call by injecting interference and noise. Hackers can also interrupt the delivery of the data packets that make up the call, making the communication intermittent.
Tampering can be carried out by what is known as a man-in-the-middle attack. This means that the attacker intercepts the call data and diverts the call via their own servers. This allows calls to be hijacked and redirected and hackers to masquerade as a legitimate caller.