Addressing the Top 5 VoIP Security Vulnerabilities and How to Mitigate Them

VoIP is the go-to application for businesses looking at reducing communications costs and improving customer service. Because many businesses are improving their general network security, VoIP Systems are increasingly being seen as an easier target and an easier inroad to the theft of data and disruption of business processes.

To be sure, VoIP Security is still an evolving area, but there are steps that will mitigate the threats to a business. Here are five top VoIP Security vulnerabilities and how to prepare defences against them.

DDoS Attacks

DDoS Attacks

What it is

Simply put, a DDoS attack is where an attacker intentionally overwhelms a server with network requests that saturate its bandwidth, preventing legitimate access.   The disruption to a business when it loses VoIP communications can cause reputational damage and lost sales, and seriously harm normal business operations.

How to Stop it

Once underway, DDoS attacks are impossible to stop. It is vital to spot them early by setting up alerts for unusual network activity and having a plan to deal with them:

  • Allocate extra bandwidth. It might not stop the attack, but it might buy you time to implement other measures.
  • Another first step is to speak to your ISP. They may be able to detect and drop DDoS traffic while preserving “real” traffic. They can also divert all your traffic to a scrubber or other DDoS cleaning expert.
  • Use expert services. There are companies that will clean your traffic. Ask your ISP to divert all your incoming traffic to one.

Call Tampering

Call Tampering

What it is

Cybercriminals can make VoIP calling unusable. They use DDoS-style bandwidth saturation which upsets data packet synchronisation and increases packet delivery delays. The result is choppy connections and very poor call quality. If the call is interrupted by long periods of silence, a caller might just hang up. This clearly affects business.

How to Stop it

Again, speak to your ISP. They may be able to help by monitoring and screening incoming data and dropping obvious DDoS packets. Other things to do include are to ensure that your VoIP Security is top-notch:

  • All voice streams in and out of your business must be encrypted.
  • All IP phones must have authentication codes

Vishing

Vishing

What it is

We are all aware of email-based phishing exploits. The VoIP equivalent is Vishing, where cyber-criminals use voicemail messaging to try to solicit sensitive information.

How to Stop it

The best way is to include Vishing as part of the general security awareness delivered to users. Tell them that both internal and external messages are potential threats and that they should never disclose sensitive information.

Fraud

Fraud

What it is

 It is exactly what the name suggests. Cyber-criminals use the VoIP system as a gateway into an organisation. They then use your services without permission, work their way through your network to find sensitive information, or deposit malware that delivers sensitive information such as user ids and passwords to them. One particular fraud that often goes unnoticed for a while is to artificially generate toll charges for calls to premium rate numbers, then collect the revenue.

How to Stop it

The easiest way is by using the security features inbuilt in most VoIP Security systems:

  • All users must be authorised to use the VoIP system
  • All users must have permission to make outgoing calls;
  • All users have security levels allowing or denying the ability to make local, long-distance, or international calls.
  • Give users call budgets and monitor for any users exceeding their budget.
  • Calls to premium rate numbers are blocked
  • Monitor outgoing calls to see what the prime times for outgoing calls are. For example, high call levels out of hours probably indicate malware making robot calls.

VOMIT and SPIT

VOMIT and SPIT

What they are

They sound disgusting, but VOMIT is Voice over Misconfigured Internet Telephones, and SPIT is an acronym for Spam over Internet Telephony. (Who says IT people don’t have a sense of humour). Vomit is a serious security threat to VoIP systems. Hackers use software to eavesdrop on calls to extract voice packets. They then analyse the packets for any sensitive information such as user credentials or financial information. SPIT is the VoIP equivalent of email spam. Automated call systems call numbers using the US collect system or local equivalent from premium numbers, and if answered deliver recorded voicemail messages. People answering the calls then incur toll charges, which the fraudster creams off.

How to Stop them

The first thing to do to stop VOMIT attacks is to make sure all calls are encrypted. Even if hackers can intercept call packets, they are useless. SPIT attacks are very difficult to prevent. A properly configured modern firewall that can identify spam helps.

VoIP is an essential tool for business and applying proper VoIP security is a must nowadays.