Voice Over IP (VoIP) has many advantages over traditional business lines. Because they’re largely hardware-agnostic, they can scale to meet demand and support business growth with far greater ease. VoIP softphones. VoIP phone systems also offer a far greater selection of features than legacy business phone systems, all with a much lower overhead.
VoIP is not without its drawbacks, however. Because VoIP networks operate via the Internet, they represent a potential target for threat actors.
Let’s discuss what that means and what you can do about it.
Given how much focus the media places on ransomware and data theft, it’s easy to forget that your VoIP system is as much a part of your attack surface as your endpoints. Yet too often, businesses leave VoIP out of the conversation when they talk about their security posture. Perhaps they assume the technology itself is inherently secure or that their vendor is taking care of things for them.
Or maybe it doesn’t occur to them that a VoIP network can even be a target.
That’s the thing about the modern threat landscape, though. If a system or asset connects to the Internet, then it doesn’t matter what it is or what it does. It’s part of your attack surface.
While most are nothing like the state-sponsored black hat boogeymen we’ve all been made to fear, threat actors still tend to be as craft as they are persistent. Any device, no matter how rudimentary, can give them a foothold into your network, including:
Suddenly, hacking a VoIP network doesn’t seem so outlandish, does it? Even if you don’t share sensitive information or discuss trade secrets over the phone, a criminal could still use a compromised VoIP to gain access to more valuable systems and data. And that’s if you’re lucky.
Let’s say you use a VoIP solution to support your contact center. What happens if a criminal manages to compromise that line of contact without your knowledge? What might that do to your reputation?
The most common cybersecurity risks and threats of VoIP include:
- Distributed Denial of Service (DDoS): A flood of illegitimate traffic that seeks to overwhelm and shut down a network. Frequently used as a smokescreen for another, more serious cyberattack.
- Packet Sniffing: A threat actor intercepts packets containing voice data during a VoIP call, potentially allowing them to gain access to sensitive information. As part of this interception, they may also execute a Black Hole Attack, intentionally preventing intercepted packets from reaching their destination.
- Call Tampering: If a Black Hole Attack is what happens when a threat actor removes packets from a call stream, call tampering is the opposite, flooding the call with garbage packets and utterly destroying call quality in the process.
- Wardialing: Using either a compromised PBX or their own specialized program, an attacker dials a series of consecutive phone numbers with the end goal of finding a computer configured to allow incoming connections.
- VoIP Phishing (Vishing): By spoofing caller ID, a criminal is able to masquerade as a trusted phone number such as a government agency, business partner, or authority figure. Some attackers have begun combining this tactic with deepfaked audio, making it even more difficult to identify and defend against.
- Toll Fraud: When a criminal uses a compromised phone system to repeatedly dial a toll number with which they are typically affiliated, potentially crippling their victim with toll charges.
- Phreaking: Similar to toll fraud, a phreaking attack occurs when a threat actor gains access to a VoIP solution’s administrative backend, allowing them to do everything from change calling plans to exfiltrate billing information.
- SPIT: Essentially a combination of Vishing and DDoS, a SPIT (Spam over IP Telephony) attack spams a number with pre-recorded robocalls. Depending on the sophistication of the threat actor behind the attack, these calls may also carry malicious payloads.
- Malware/Ransomware: A malware-infested VoIP system could give hackers access to a wealth of personal data, or else serve as a jump-off point to infect the rest of a business’s network. Alternatively, a criminal might simply opt to shut the entire VoIP system down and demand a ransom.
- VOMIT: A Voice over Misconfigured Internet Telephones, or VOMIT attack, takes unencrypted VoIP traffic and converts it into an audio file which a threat actor may then either play or distribute at their leisure.
- Man-in-the-Middle (MiTM): A close cousin to packet sniffing, a MiTM attack occurs when a criminal is able to intercept a VoIP call and insert themselves into it. They may simply listen, gaining information about both the caller and recipient. Alternatively, they might route the call through their own server, allowing them to infect one or both participants with a malicious payload.
Given the laundry list of security threats with which VoIP networks must contend, you’d be forgiven for assuming that a traditional business phone line represents the more secure option. The reality, however, is a bit more complicated. A properly-configured VoIP line is significantly more secure than an analog PBX.
It boils down to how the two systems transmit, store, and manage voice data. With PBX, all a bad actor needs to do in order to listen in on a call is compromise the PSTN somewhere between caller and destination, a technique known as wiretapping. It’s nearly impossible to defend against this type of eavesdropping — not without a significant price tag, anyway.
Conversely, although VoIP systems face a higher volume of security threats, they are also equipped with the necessary tools to protect against those threats.
Encryption represents the most basic type of VoIP security, and comes in two flavors. The first, Secure Real-Time Transport Protocol (SRTP), applies the Advanced Encryption Standard (AES) to every packet that passes between a call’s participants.
To put it in less arcane terms, it’s basically like each caller has a sort of barrier between themselves and the Internet. When audio initially passes through this wall, it’s rendered completely unintelligible. If an attacker were to somehow intercept any packets, all they’d get is noise.
The audio reassembles after passing through the recipient’s barrier, at which point they can hear their conversation partner speaking normally.
In addition to encrypting call audio, most VoIP providers also use Transport Layer Security (TLS) to obfuscate personally-identifying information such as names, usernames, and phone numbers. Whereas traditional TLS is client-to-server, both TLS and SRTP/AES should be applied end-to-end on VoIP calls. This means that traffic is encrypted from the instant it leaves one participant until the moment it arrives at the other.
Alongside end-to-end encryption, we recommend the following measures to secure your VoIP platform and protect your data:
- Define and enforce a strong password policy. You may also want to consider providing employees with a password manager.
- Regularly assess your network for possible vulnerabilities.
- Monitor your ecosystem for suspicious activity through a cyber threat intelligence tool.
- Consider using a virtual private network (VPN) or a secure cloud platform.
- Require multi-factor authentication through either an application, biometrics, or a device-based prompt. About SMS 2FA, as it is not secure.
- Perform regular security audits and drills.
- Provide your employees with security awareness training.
- Segment your network and apply both least privilege and zero trust network access.
- Ensure your software is always up to date.
- Have something in place that allows you to protect personal/BYOD devices within your workplace.
- Choose your vendors carefully. Ideally, you’ll want a provider that offers both a VoIP solution and cybersecurity services of some kind.
Because VoIP security tends to be so costly and complex, it can be difficult to find a provider that’s entirely above-board. There will sadly never be any shortage of unscrupulous companies looking to make a quick buck off the ignorance of others. The good news is that it’s fairly easy to identify such shysters if you keep an eye out for the following characteristics:
- A flexible contract and a willingness to negotiate.
- A service-level agreement with >99% guaranteed uptime.
- Compliant with certifications such as the GDPR, HIPAA, SOC 2, and PCI.
- Willing to discuss their cybersecurity measures and protocols with prospective customers.
- Practices good cyber hygiene both internally and with partners and suppliers.
- A well-defined and rigorously tested incident response plan.
- Comprehensive security protocols that safeguard the vendor’s servers and data.
- A large number of positive reviews, indicating consistent, reliable service.
How much will it cost?
Unfortunately, just as there’s no one-size-fits-all approach to business communications, your VoIP security costs will vary depending on your business’s size, level of technical maturity, and unique requirements. With that said, we recommend spending at least 10 percent of your annual IT budget.
How frequently should I revise my security strategy?
We recommend a full third-party assessment and policy update at least once a year.
How do I know if a WiFi connection is secure?
Look at the encryption protocol. A secure WiFi network will use either WEP, WPA, or WPA2