Any system that relies on using computers and the internet is bound to raise concerns over the risk of it being subject to cyber attack. VoIP is no exception to this; indeed attacks on systems using the SIP (Session Initiation Protocol) are happening with surprising regularity.

IBM’s Security Intelligence Group found that as far back as 2016, attacks on SIP systems accounted for around half of all security events detected. This isn’t surprising as SIP is one of the most commonly used communication protocols.

Understanding attack types:

Attacks on SIP systems are often carried out using specially crafted messages. These can cause servers and other equipment that is vulnerable, by not being up to date with the latest patches, for example, to fail thus leading to system outages and loss of service.

Using proprietary protocols is no guarantee of safety either. IBM’s study found that the Cisco Skinny Client Control Protocol (SCCP) was vulnerable to attack too, although attacks on this protocol have been declining. Attacks often come in the form of probes, looking for weaknesses that the hackers can later exploit to compromise the system.

Shared vulnerabilities

By its very nature VoIP routes calls through the same networks as other internet and network traffic. This leaves it open to the same vulnerabilities. Attackers can therefore intercept, capture or modify traffic. They can also launch assaults aimed at denial of service, making the service unavailable for legitimate users.

It’s also common for hackers to try to steal the VoIP service to make calls on someone else’s account. This is known as ‘toll fraud’. It’s always a popular technology with scammers who are able to spoof caller IDs to make it appear that calls are originating from a legitimate business. This facilitates the launch of phishing or other attacks aimed at perpetrating frauds. Of course, it adds to the scourge of spam calls too. Attackers can also attempt to disrupt a business’ operations by flooding its network with thousands of junk calls originating from automated dialling systems.

Securing your system

Now that we’ve looked at the nature of attacks against VoIP phone systems, what can you do to keep your system secure and protect it from abuse? There are a number of different techniques that can be applied.

Protection starts with basic network security. Ensuring that your network traffic is secure helps to secure the voice traffic that it shares space with. Having an effective firewall that is SIP-aware is a good first step. This will protect the network while still allowing incoming calls to get through.

Increasingly, companies are turning to encryption so that if data is intercepted it is useless to the hacker. This can be done in a number of ways and at a number of levels, but it needs to be applied with care. You can eEncrypt the signalling from your Internet gateway using something called Session Initiation Protocol over Transport Layer Security (SIP over TLS). Depending on your service provider you may find that its switch system does this for you.

It’s best to apply encryption by segment, user, or device. This is because applying encryption indiscriminately to all traffic is likely to result in added network latency, leading to a slowing down of traffic. In addition, there is the potential to build in un-needed complexity and operational overhead.

You should also make use of virtual private networks (VPNs). These are particularly useful for establishing network connections from remote phones such as business mobiles using the VoIP system. If HTTPS or SRTP protocols are not available, the use of a VPN to secure connections is even more essential.

It may sound obvious, but using strong passwords to protect voicemail inboxes is important. Default passwords should be changed straight away to strong passwords. Mailbox passwords should then be changed on a regular basis in line with your company’s policy of changing system login passwords and following similar guidelines with regard to complexity, length, use of characters and so on. Passwords should never be shared, most systems will allow admin access to a voicemail box if required – if someone is on holiday say – without the need to compromise their security. Alternatively, you can ensure that calls are diverted to another team member.

Still on the subject of voicemail, any sensitive messages should be deleted as soon as users have listened to them. Not storing voicemails in the first place is an easy and effective way of ensuring they don’t fall into the wrong hands. Staff need to be educated to report anomalies as soon as possible. A voicemail message that has been read, deleted or forwarded without the knowledge of the person to whom the box belongs may well be a sign that the system has been compromised.