Securing your comms from the hidden dangers of IP telephony

IT security remains of major concern to almost any business. High-profile examples of big businesses being hacked, and sensitive customer data being leaked, continue to hit the headlines, causing significant damage to the business’ reputation and bottom line should legal proceedings ensue.

Although many firms are taking steps to further secure their IT systems, it is often a different story entirely for their IP telephony network. Yet an IP-PBX system is just as vulnerable to exploitation as a computer network, with the added danger that many firms don’t realise that a problem exists.

Due to the nature of IP telephony, the phone system needs to be connected to the internet, providing a route for hackers to access the IP-PBX. While VoIP phone systems offer many advantages over fixed-line telephony such as advanced call functionality and flexibility, it is precisely these advantages that can also be used against it.

In order for businesses to protect their IP telephony systems, they need to understand how their systems are vulnerable, how this can be exploited, and the steps they can take to secure the system.

Turning your IP-PBX system against you

In order to gain access to the telephony system, hackers need the password of the device they are targeting. In order to gain this password and successfully compromise an IP-PBX system, hackers will identify an IP extension on the network, and then bombard that device with different passwords in the hope that one of them will be right.

Although this sounds like a long shot, many users don’t change their passwords from the default setting. Also, hackers can send thousands of passwords to an extension in just a couple of minutes. In many cases, it doesn’t take long for the hackers to guess the correct password and logon to the IP-PBX system.

Once a hacker has access to the system, there are many ways in which they can disrupt the IP telephony network and potentially cause the business to lose large sums of money. One of the most common attacks, and indeed one of the most damaging, is when professional criminals attach an entire call centre to the compromised network connection, routing thousands of calls over the one connection in a short period of time.

Depending on how the IP-PBX routes its calls, and how regularly the company receives its bills, this activity can continue for months before being discovered, running up an astronomical telephone bill.

While this is the primary way for hackers and fraudsters to take advantage of a poorly-protected system, weak passwords and a lack of encryption in an IP-PBX infrastructure can leave the doors wide open to other types of malicious activity. For example, as a result of the computerised nature of IP telephony, it is much simpler than with fixed-line telephones to secretly record internal calls.

Rather than having to install a physical device, calls can simply be recorded using the right software. Often, this kind of threat comes from an employee inside the organisation, making it difficult to protect against. If a company is using an unencrypted VoIP protocol, then there is no barrier in place to stop calls from being recorded. Even if the threat doesn’t come from an employee, for outside groups with an interest in recording a company’s telephone conversations, a trojan could be used to install the recording tool.

What can be done to secure your IP telephony?

To secure an IP-PBX system, there are a several steps companies should take. Firstly, administrators need to keep a close eye on the system to monitor for any signs of an attempted attack, and act quickly to ensure successful ones are addressed at an early stage.

As highlighted earlier, one of the major reasons that IP-PBX systems are compromised is because hackers are able to easily break into a system that uses weak passwords. Often, the password won’t be changed from the default ‘password’ or ‘admin’, or will be changed to something easy to remember, such as the company name. Including numbers and symbols can increase the security of a password significantly, and make it much more difficult for a hacker to crack.

Yet even with strong passwords protecting every extension on the IP network, hackers will still try to break a system’s defences. As they can try so many passwords in a short space of time, it is worth their time to try an attack, as the chances are that eventually they will guess the correct password. For a business, this presents a very real risk, as it is difficult and time consuming to constantly monitor the IP telephony system for attempts at illegal access.

When an attack has been successful, and the hackers start routing unauthorised calls through an extension, it is very difficult for the administrator to see that this is happening. If legitimate users don’t notice a problem, then there is nothing to alert the administrator that the IP-BPX has been compromised.

This means that the hackers have free rein to route thousands of calls through the extension, and the company only finds out when it receives a large bill from its service provider. As a precaution, setting a monthly call limit with your service provider can reduce the effect of this. Of course, even a month of unauthorised calls can have a serious impact on a business.

Make the change before it is too late

IP telephony is going to be a much bigger part of corporate communication infrastructures over the coming years. While IT security is slowly but surely getting stronger, the same can’t be said of IP telephony systems, as the administrators of these systems often don’t realise the level of the danger faced.

The monetary loss that can be caused by a successful hack can far outweigh the original investment in the system. Yet the measures that need to be taken to protect the business are relatively simple, and don’t require a massive investment in hardware and software.

Once the right security measures have been put into place, then administrators can drastically reduce the chances of being on the receiving end of a successful hacking attack and ensure that the transition to a secure system is a simple and painless process.

Jonathan Greenwood has created and managed several startups within the telecommunications industry during the past 9 years. Previously a software engineer at Pancredit, he worked on several major projects within the financial industry. He transitioned from financial systems software development to telecommunications while at pbxnsip Europe, where he was responsible for the entire operations for Europe, Middle East, and Africa. Jonathan is now managing director of snom UK and is also product manager for snom ONE.