Blog The Business Phone Blog

VoIP Security Issues: How to Deal with Them

      Rating  0     Rating  0

A technology that has the reach and popularity of VoIP will naturally be the target of online assaults, be it for financial gain, control of online assets, or service disruption. This has been going on with digital communications for years now – as with traditional telephony, credit cards, and the like.

VoIP is still your best and most affordable telecommunications option, of course. There is no technology that carries zero risks. You just need to be aware of these risks. This will help you choose your VoIP service providers. Your choice has to be based not just on price but also on the service monitoring and security measures implemented by these providers.

Here are the top VoIP security issues and what can be done about them.

Theft of Service

This is perhaps the most common security issue in VoIP. Stolen service can be as simple as stolen usernames and passwords, which are then resold illegally. The more complex service theft has been referred to as the International Revenue  Sharing Fraud (IRSF). Here, local carrier interconnects agreements are exploited to defraud national carriers.

Network security is the most effective way of addressing this issue. Basic here for individuals and business VoIP administrators is to implement strict password setting standards. This means disallowing the use of extension codes, sequential numbers, and repeating numbers. This is, of course, not easy to implement, especially when there is resistance from users.

Call encryption, and physically securing switches and servers are requirements. Your selected vendor should also be running fraud detection software that can spot malicious call routing requests.

VoIP Denial of Service

A denial of service attack on any target renders that target incapacitated during the period of attack. If the target is a business that relies on VoIP connections, it will have its communications effectively cut off. As for service providers, they will be unable to provide service up until the issue is addressed.

Unfortunately, there is currently nothing available that specifically defends against DoS attacks. The most effective preventive response to this is the implementation of session border controllers with anti-DoS safeguards and identification systems that authenticate calling numbers through certificates. Those that come from suspicious sources can then be identified and blocked.

Call Interception

Call interception is not just the stuff of movies. In the age of Edward Snowden, and cloak and dagger privacy intrusions, this is a real issue with real repercussions and doable solutions.

Call encryption is necessary. It is also a reliable means of deterring privacy intrusions. It then becomes confounding how any company worth its good reputation will encrypt valuable data that has to travel through shared networks but not its business communications. Encryption is now a must and should not be forgone.

There are several ways to do this, from the user’s end and from the provider’s. One is through zfone, a voice data encryption software that works on top of your VoIP client by encrypting data packets. The software also has a man-in-the-middle (MiTM), which shows an authentication code that needs to be confirmed by the user on the other end of the call.

At the enterprise or provider level, you need to have a virtual private network (VPN) that encrypts voice traffic. VoIP software with encryption capabilities can also be used.

Malware Infiltration

Another VoIP security vulnerability is the possible infiltration of malware via media sessions and signaling. Malware is malicious software that is designed to self-propagate and infects other systems. It is popularly known as “worms.”

Worm infiltration exposes your network, data, and media, and sip signaling structures. At the very least, such a security breach might result in stolen account credentials. At its worst, other segments of your business can be infiltrated and abused.

There are ways to defend against this. You can implement deep packet inspection, as well as fortify computers and softphones used in VoIP communications. Deep packet inspection makes use of tools, such as firewalls, to filter packets for viruses, spam, and other malicious inclusions. This is usually done at the enterprise level. Fortifying computers and softphones can be done with virus scanning software and the like.

ATA Device Vulnerabilities

If you use an ATA (analog telephone adapter) device with your VoIP, you also expose your system to possible infiltration. ATA works through ports: ethernet and USB ports – points of malicious entry if you are targetted for cyber attack and toll fraud.

A workaround here is by installing your ATA on a network segment that’s separate from your softphone and internet. It should be behind a firewall and uses its own subnet range. Unfortunately, this is seldom done. The common practice does not distinguish nor separates voice from data as a multiple purpose computer is used for both tasks.

Monitor and Secure Your VoIP

In the perfect world, you shouldn’t have to deal with security threats. VoIP is a useful and affordable technology that has matured into one of the most reliable and accessible means of communication. It has revolutionized telecommunications, as we know it. But then again, the world isn’t perfect and there will always be those who will abuse technological vulnerabilities for their gain.

This does not mean that you can’t take advantage of VoIP’s many benefits. You just need to guarantee yourself some security by implementing safeguards where you can. Start by monitoring the performance of your VoIP service. You can do this through 3rd party service providers, such as VoIP Spear, which run tests 24/7365 to map dips and inconsistencies in VoIP performance. Through this, you can spot problem areas and possible attacks, and respond swiftly.

Likewise, don’t leave VoIP security in the hands of your service provider. While their security measures can be your basis for signing up, you should also implement safeguards where you can. Regularly scan for viruses and design your network structure with security in mind.

Report abuse