With the wide adoption of Voice-over-IP technology, phone hacking continues to evolve. It’s costing businesses billions of dollars annually in lost productivity and higher phone bills. Typically, there’s no easy resolution - many carriers expect the victims to pay for fraudulent calls in full.

By some estimates, organizations are losing about $4 billion annually to PBX hacking. Coming in a close second are losses to VoIP phone system hacking, which amounts to $3.5 billion. Collectively, that’s $7.5 billion in annual losses.

The ramifications of VoIP hacking can go well beyond making huge numbers of calls at your expense. Since a VoIP phone system typically shares the same data network with other applications, a breach of the phone system can lead to a breach of other IT systems as well, putting the entire business at risk.

Types of Attacks

Although there are many variations of the attacks that can be launched against traditional PBX and VoIP phone systems, here are a few of the most common and damaging attacks inflicted on businesses.

Toll fraud can be launched in several ways. With a VoIP system, for example, hackers can break into the call control functions of a Session Initiation Protocol (SIP) server. Once connected, they can query the SIP options to understand the capabilities of the attacked server and use this information to generate thousands of dollars in automated sales calls. Other attack vectors include poorly configured routers that accept incoming call setups from any source IP address, VoIP Phones with outdated firmware, and network switches that are set up once and then forgotten.

Eavesdropping on phone calls can yield big dividends to hackers, especially if the targets are financial institutions, professional services firms, and government agencies. Of growing interest to hackers is listening in on call center activity. Whether a traditional standalone call center or one added on to a VoIP phone system, confidential account information, health records, and payment card data are routinely discussed. Conference rooms are also coming under attack because of the sensitive nature of executive level conversations that occur there. Tools for capturing voice and video communications are widely available and shared within the hacker community.

Voicemail hacking is also potentially lucrative and usually involves spoofing a caller ID and applying a brute force technique to arrive at valid PINs. A successful breach allows unauthorized calls from that user extension as well as international calls through the voice-mail platform. Access to private voice mails can expose the private information of corporate and government decision-makers. This can be used to harm, embarrass or blackmail targeted individuals and their organizations.

Softphone hacking is done by capturing wireless traffic to discover a user’s authentication information so the hacker can re-create the softphone account to eavesdrop on phone calls and make unauthorized calls on that account. With access to a real softphone – one that will appear legitimate to the target of a social engineering ploy – there is virtually no limit to the damage that can be perpetrated on the organization by a determined hacker.

Denial of service attacks are attempts to disable the functionality of the VoIP system to prevent legitimate calls from being processed, as opposed to gaining operational control. The target of the DoS attack is usually the SIP server, so taking steps to prevent unauthorized access is of paramount importance.

Foiling the Hackers

The good news is that there are measures businesses can take now to ensure their phone system stays well protected:

1. When installing new phone equipment and network devices, change the passwords from the default settings.

2. Do not use easy-to-guess passwords and avoid the use of a phone number or extension as the system password. If your password is easy to remember, then it offers little or no security. Use a random number generator to design an effective password.

3. If there is more than one administrator accessing the telephone system or any IT system, make sure they use unique access credentials.

4. Whenever IT staff members leave the organization, immediately disable their access credentials to phone systems, computers and management tools.

5. Ask your service provider about its fraud monitoring capability; specifically, if it has real-time toll-fraud mitigation in place that will stop suspicious calls. The service provider should contact you to verify if the flagged calls are legitimate. Also, ask how the service provider deals with Denial of Service attacks.

6. Routinely review itemized telephone invoices for any anomalies; if your organization does not call certain international locations, for example, set up the phone system to disallow outbound calls to these locations.

7. Make sure phone system and voice application software is kept up to date. If you subscribe to cloud voice, this should be done by the provider as part of its hosted VoIP service.

8. Consider using end-to-end encryption to protect sensitive VoIP conversations. This feature may be added to the premises IP Phone system with encryption software, or offered by a cloud voice provider as an add-on to its hosted VoIP service. In essence, end-to-end encryption provides a secure virtual private network (VPN) connection that protects the privacy of conversations.

Larger networks may need to take a more granular approach to security. The more devices and protocols used, the more extensive the threat landscape becomes.

VoIP is Here to Stay

VoIP offers several compelling benefits over traditional telephony, but it requires continuing vigilance to ensure the high availability and security of the system. Fortunately, end users and businesses can reduce the risks with proactive measures that will effectively thwart the bad guys.

Jeff Nolte is President and CEO of CTS, a leading Voice and IT services provider based in Millersville, Maryland. He may be reached at (800) 787-4848 or jnolte@ctsmd.us.