Security Savvy for VoIP

Updated: January 07, 2011

Like in any other growing industry, the growing number of VoIP connections and customers are attracting increased security breaches in VoIP networks. A convenient summary of modern VoIP security vulnerabilities and possible solutions can be found here. The article, written by McAfee security researcher Kevin Watkins, discusses multiple types of VoIP security breaches including eavesdropping, denial-of-service and more. It also provides general advice about what causes security vulnerabilities and how to protect against them, applicable to systems with both H.323 and Session Initiation Protocol (SIP) standards.

Protocol-related breaches discussed in the article include eavesdropping, denial of service, signal and media manipulation, and replay. Eavesdropping on VoIP connections has occurred since the 2001 development of VOMIT (Voice Over Misconfigured Internet Telephones), and generally involves open-source network-analysis tools, or "sniffers." Default settings that lack security configuration on media transport protocols carrying conversations offer one common opportunity for eavesdropping. Replay attacks use legitimate VoIP sessions, captured by sniffers, against targets, often through registration hacking. Watkins recommends SIP over transport-layer security for SIP-based systems to protect from these attacks. However, Watkins has no suggestions for protection against denial-of-service or network-manipulation attacks (including flooding, signal and media manipulation). VoIP is made vulnerable to such attacks mainly because it is an IP service, Watkins claims, and these problems therefore require IP-related solutions.

The article also discusses several application-level vulnerabilities to attack. Exposed administration service ports can allow information-disclosure theft, allowing attackers to further penetrate a network. The dual status of some VoIP service ports as data-exposing ports and web services can also open the door to common internet security breaches like cross-site request forgeries and cross-site scripting. VoIP's lack of traditional caller-ID safeguards has lead to a practice called "vishing," where cybercriminals combine VoIP and caller-ID spoofing to misrepresent themselves, often as banks or other institutions asking for financial data. Just as "vishing" is a counterpart to "phishing," good old spam also has a VoIP equivalent: SPIT, or spam over Internet telephony. Watkins recommends applying solutions used in email and traditional phone service to the VoIP world to reduce this problem. And, of course, like any other growing communications industry, increasing numbers of VoIP customers are resulting in increased incidences of toll fraud and unauthorized calling.

The best protection for VoIP providers against these and other issues, according to Watkins, is the same protection of any other communications-industry: install protections throughout the system early, and stay up-to-date on current threats. Although these threats will no doubt increase as the industry continues to grow, the article ends on an inspiring note, claiming that "With the right amount of security and precautions VoIP can be even more secure than traditional phone service."

To upgrade to a more secure VoIP business phone system, take a look at our business phone system comparison.

Featured Research
  • How VoIP is Transforming the Healthcare Industry

    The healthcare industry, like many industries, is in the midst of an era of rising costs and an ever increasing pressure to drive down expenses. Now, what if we were to tell you that there was a simple solution to these problems? The answer is VoIP. And to make it sweeter, it allows for your hospital staff to utilize modern mobile devices as resources instead of antiquated phone systems. more

  • [Infographic] 8 Common Pain Points UC Eliminates

    Every company has moments of frustration, it is when these moments become extended periods of inefficiency, or pain points, where we start to see loss in productivity and employee morale. What truly sets a successful business apart from those of its competitors, is how they take these pain points and use them as opportunities to improve upon procedures and systems to eliminate pain points and move beyond what was the status quo. more

  • Go VoIP and Go Green

    You may be looking to switch to VoIP because of the cost benefits that it will bring your company, but did you know that it is also FAR BETTER than traditional phone systems for the environment as well? With environmental impact being at the forefront of both consumer and business minds, it is essential that business decisions are made now based on economic AND ecological impact. more

  • eGuide: Comparing UC Vendors

    Changing your company’s business communications solution is an investment in time and money that will touch everyone in your organization. A successful unified communications (UC) deployment should streamline everyone’s work flow, simplify IT operations and deliver a lowered total cost of operations. Your company deserves nothing less. more

  • Getting More from Your VoIP System

    Too many businesses fall into the trap of setting up their VoIP as a "plug and play" and getting to work. However, we have found that this thinking only leads to businesses failing to get the most out of their VoIP experience. We have put together an in-depth guide that will walk you through 15 easy steps to get more out of your system. more