Introduction to VoIP
Traditional phone systems use dedicated lines and systems to carry voice traffic. While this is not a problem in many cases, it limits the flexibility and scalability of these systems since new deployments may require investment in and installation of new physical infrastructure.
Voice over IP (VoIP) sends voice traffic over the network and uses software on a user’s computer (a softphone) rather than a physical device. The flexibility that this provides means that VoIP systems are growing in popularity. This is especially true in the wake of the COVID-19 pandemic since enterprise VoIP systems can be more easily transitioned to remote use than traditional phone systems.
Cybersecurity Threats of VoIP
VoIP systems are software that runs on computers and uses the Internet to carry voice traffic. As a result, these systems can be potentially vulnerable to a number of different threats.
Denial of Service (DoS) Attacks
VoIP uses the Internet to carry voice traffic between the parties within a conversation. This is implemented using a client-server system where traffic is relayed through one or more VoIP servers to recipients.
The use of the Internet and servers to implement VoIP makes it potentially vulnerable to DoS attacks. An attacker could exploit a vulnerability in the VoIP software or use a Distributed DoS (DDoS) attack to overwhelm a VoIP server. As a result, VoIP users may be unable to make or receive calls or may have greatly degraded call quality.
Vishing
Voice phishing or “vishing” is the use of social engineering techniques over the phone. A visher will try to trick someone into revealing sensitive information or taking a harmful action (like sending money to a scammer) over the phone.
As with traditional phone systems, VoIP users are vulnerable to vishing attacks. In fact, the use of Caller ID spoofing is even easier for VoIP than traditional phone systems. The message that a VoIP client uses for Caller ID is easily modified by the sender.
Phreaking
Phreaking is a term for abusing an organization’s phone systems. Many of the earliest hackers were phreakers, and the same attacks and techniques that they would use can still apply to modern VoIP systems.
One common use of phreaking is to allow the attacker to use an organization’s phone system to make expensive calls. For example, an attacker may gain access to the VoIP server and change the service plan and extension list to allow the attacker to use the system without detection and take advantage of premium services.
Alternatively, an attacker can use phreaking to lay the groundwork for a later attack. Employees are more likely to trust a phone call originating from an internal extension. This can be used in help desk scams and other attacks designed to steal user credentials or trick an employee into taking an undesirable action.
Viruses and Malware
VoIP clients and servers are software that runs on computers. The use of computers for telecommunications creates the potential for attacks against VoIP systems using viruses or malware.
VoIP-focused malware could take a number of different actions. These include trying to degrade the accessibility or quality of the VoIP service (a DOS) attack, stealing sensitive data, or eavesdropping on or interfering with an ongoing VoIP call.
Spam Over Internet Telephony (SPIT)
VoIP systems are implemented as software running on computers, each with their own IP address. Just like spammers can use lists of IP addresses to send unwanted emails to a user, an attacker can send unwanted voicemail to VoIP users.
Typically, VoIP spammers perform their attacks using voicemail. With a list of IP addresses associated with VoIP servers, an attacker can send a mass of voicemails to users without ringing their phone. This technique could be used either as an annoyance or to create a voicemail used as part of a vishing attack.
Man-In-the-Middle (MitM) Attacks
Man-in-the-Middle (MiTM) attackers intercept a communication between its source and its destination. This potentially allows them to view or modify the contents of the communication. By default, many VoIP packets are unencrypted. This means that anyone with access to the network that they flow over can intercept them and rebuild the actual phone conversation from the data streams.
In most cases, this would only allow an attacker to eavesdrop on the communication since the delays associated with intercepting and modifying the traffic is likely to be noticeable to the communicating parties. However, in some contexts, modification of traffic may be possible. For example, the use of automated phone systems (which accept user input via voice commands or pressed keys) are accustomed to response delays and may enable an attacker to modify the input coming from a phone trusted by the system (i.e. the phone number associated with a given account).
Keeping Your VoIP Communications Secure
VoIP systems are vulnerable to a number of different attacks. However, the fact that these threats exist does not mean that organizations should give up the advantages that a VoIP system provides. Many of the threats associated with VoIP systems can be mitigated with a few simple steps:
Keep Software Up-to-Date
Unpatched vulnerabilities in VoIP client or server software could enable an attacker to perform a DoS attack or gain unauthorized access to the system. Ensure that VoIP software is always updated to the latest version.
Use Encrypted Communications
VoIP communications are not always encrypted by default, enabling eavesdropping and potential tampering with VoIP calls. Using encryption for VoIP, such as TLS or a virtual private network (VPN), decreases the probability of exposure of sensitive data or tampering with important calls.
Use Secure Configurations
VoIP software, like many systems, often has configuration options for users and servers that can impact security. Ensure that these systems are configured correctly and check configurations periodically to detect tampering or new settings that need to be updated.
Use Strong Authentication
An attacker with access to a VoIP system can take a number of damaging and expensive actions against an organization. The use of strong authentication, including multi-factor authentication (MFA) when possible, helps to reduce this threat.
A Final Word
The use of VoIP for corporate communications can improve communications flexibility and simplify an organization’s communication systems and network environment. However, like any software, VoIP must be deployed and configured correctly to be secure against cyber threats. Learn more about how you can prevent cyber threats by following the Totem blog for frequent updates.