Voice over Internet Protocol (VoIP) networks allow people to make phone calls over the Internet at very low or no cost at all. But while VoIP is affordable, it still lacks proper security features. Major enterprises are being warned against the growing global VoIP hacking ataacks.
Some of the most common features of VoIP hacking methods include eavesdropping on conversations, changing caller IDs, disrupting phone calls, unsolicited audio and access to sensitive information.
ITNewsAfrica interviewed Rob Lith, Connection Telecom Director to investigate the current trends in VoIP hacking and what can enterprises do to better secure their telephony services.
1. What is VoIP hacking?
Ever since the first analogue phone lines there has been phone hacking, also referred to as phone “phreaking” which came in many forms such as “Switch hook” where you would tap out the number to dial, and “tone dialing”, to simple clip-ons to the copper cable lines to make calls using other people telephone lines, there have been many ingenious attempts to be able to make free phones calls.
More recently voice over IP (VoIP) is just another avenue for hackers to “clip-on” to your VoIP line.
With the rise of VoIP or SIP hacking tools have been developed to audit SIP based VoIP systems, Google has developed such a tool called the SIPVicious suite. One downside is that this same set of tools can be used to crack the password of the SIP account on your VoIP system in the same way as old fashioned hackers would clip on to analogue lines.
2. How can SMEs secure themselves from any form of VoIP threats?
SME’s you quiz there VoIP service provider on the way they secure their system from VoIP hackers. To ask how they secure the SIP accounts, can they set it so that access can only be from your range of IP addresses?
What other systems do they have for detecting and preventing your account being compromised? Do they have alerts for suspicious patterns of calls to expensive destination, or more simultaneous calls than you have people to make them?
They should be able to answer these questions without hesitation or doubt.
3. What are the current security threats on VoIP services?
The primary threat at the moment is that hackers gain access to your SIP account (your VoIP telephone) line by cracking your password and then make calls to destination where they get a share of the cost of the call.
4. What are the immediate implications for businesses attempting to rollout VoIP within their business?
Businesses must make sure that they understand the threats and the measures they can take to minimize the risks.
They must institute policies for the password staff use with their VoIP accounts, very strong computer generated passwords should be used.
Firewall policies must be updated to cater for the VoIP protocols.
Defense in depth is a useful guideline. Do not rely on only one type of protection for any part of the system. For example, don’t just use good passwords, but also restrict access by IP address if possible.
Consider the credit control of how much you deposit in your VoIP account if it is pre-paid or set a limit for only the level of calls you usually make if the account is post paid.
5. What are the average cost implications for a VoIP recovery process?
If the credit limits are not set on your VoIP account then the cost implication could be severe and can run into thousands of Rands.
6. What are some of the technology weaknesses of VoIP technology?
In fact VoIP and the SIP services can be stronger than old and “trusted” technology like analogue or digital lines that can be “tapped” by physically clamped onto.
There is not so much technological weaknesses but with the peoples habits of using easy to crack passwords.
7. What sort of information are VoIP hackers seeking?
Generally they are looking to get the account registration details and the password to authenticate so that they can register a SIP client and make calls.
8. What methods are currently being used to catch VoIP hackers?
VoIP hackers are generally from international countries where it is very difficult to track and prosecute. In the United States there have been successful prosecutions of VoIP hackers under the wire fraud law and one published example Edwin Pena of Miami faces up to 25 years in jail.
9. Is VoIP considered a safe communication technology?
Yes, as long as precautions are taken. VoIP has become the de facto standard for telephony today.
Bontle Moeng – ITNewsAfrica Online Editor