Security Savvy for VoIP

Updated: January 07, 2011

Like in any other growing industry, the growing number of VoIP connections and customers are attracting increased security breaches in VoIP networks. A convenient summary of modern VoIP security vulnerabilities and possible solutions can be found here. The article, written by McAfee security researcher Kevin Watkins, discusses multiple types of VoIP security breaches including eavesdropping, denial-of-service and more. It also provides general advice about what causes security vulnerabilities and how to protect against them, applicable to systems with both H.323 and Session Initiation Protocol (SIP) standards.

Protocol-related breaches discussed in the article include eavesdropping, denial of service, signal and media manipulation, and replay. Eavesdropping on VoIP connections has occurred since the 2001 development of VOMIT (Voice Over Misconfigured Internet Telephones), and generally involves open-source network-analysis tools, or "sniffers." Default settings that lack security configuration on media transport protocols carrying conversations offer one common opportunity for eavesdropping. Replay attacks use legitimate VoIP sessions, captured by sniffers, against targets, often through registration hacking. Watkins recommends SIP over transport-layer security for SIP-based systems to protect from these attacks. However, Watkins has no suggestions for protection against denial-of-service or network-manipulation attacks (including flooding, signal and media manipulation). VoIP is made vulnerable to such attacks mainly because it is an IP service, Watkins claims, and these problems therefore require IP-related solutions.

The article also discusses several application-level vulnerabilities to attack. Exposed administration service ports can allow information-disclosure theft, allowing attackers to further penetrate a network. The dual status of some VoIP service ports as data-exposing ports and web services can also open the door to common internet security breaches like cross-site request forgeries and cross-site scripting. VoIP's lack of traditional caller-ID safeguards has lead to a practice called "vishing," where cybercriminals combine VoIP and caller-ID spoofing to misrepresent themselves, often as banks or other institutions asking for financial data. Just as "vishing" is a counterpart to "phishing," good old spam also has a VoIP equivalent: SPIT, or spam over Internet telephony. Watkins recommends applying solutions used in email and traditional phone service to the VoIP world to reduce this problem. And, of course, like any other growing communications industry, increasing numbers of VoIP customers are resulting in increased incidences of toll fraud and unauthorized calling.

The best protection for VoIP providers against these and other issues, according to Watkins, is the same protection of any other communications-industry: install protections throughout the system early, and stay up-to-date on current threats. Although these threats will no doubt increase as the industry continues to grow, the article ends on an inspiring note, claiming that "With the right amount of security and precautions VoIP can be even more secure than traditional phone service."

To upgrade to a more secure VoIP business phone system, take a look at our business phone system comparison.

Featured Research
  • 8 Ways Business Travelers Can Save with VoIP

    Do you or any part of your workforce travel for work, or even telecommute? If that answer is yes, then you should be utilizing mobile VoIP. With VoIP, businesses have been found to save as much as 40% on local calls and a whopping 90% on international calling expenses. more

  • Phone System Showdown

    When it comes time to select your new phone system, one of the biggest questions that you will face is whether to go with the hot, new VoIP system or the steady and secure PBX network. There are pros and cons to each of these phone systems, and before making any purchase we highly suggest that you take the time to download and read our latest guide: Phone System Showdown: VoIP vs. PBX. more

  • Signals Your Company is Ready For Unified Communications

    Efficient and effective business collaboration is essential to company success and as you grow your business, you'll discover all the different communication methods that you NEED to stay connected with partners and customers. Implementing a Unified Communications (UC) system can save your company upwards of $920,000 a year due to increased efficiency amongst company employees. more

  • Phone System Implementation Expectations

    Providers would have you believe that implementing a new phone system is as easy as counting to three. However, while the process may not be difficult, there are steps that need to be taken to ensure that your new VoIP system is installed and implemented smoothly. Luckily, the challenges associated with upgrading your system tend to be fairly predictable. Most businesses run into the same set of problems that many others have faced before them, meaning avoiding or overcoming them is as easy as preparing ahead of time. more

  • Your Phone System and Your Bottom Line

    Businesses have been using phones to drive increases to their bottom lines for almost a century now. Telephony, much like the rest of the business world, has seen drastic changes with the increase in technological advancement. Voice Over Internet Protocol (VoIP), has enabled companies to connect with consumers at levels that have been seen as unheard of before. And trust us when we say this, it is doing wonders for the bottom line. more