Toll fraud and phone hacking are by no means a new threat for enterprises, but Voice over IP access lines closely tied to the enterprise network are providing a bigger, more attractive target for hackers.
Service providers are moving their legacy plain old telephone system infrastructure into retirement as enterprises lean toward IP-based phone services. But as voice traffic transitions from traveling via copper lines to Internet-based packets, new vulnerabilities are emerging. The same techniques and tools used to hack into an enterprise network can now be applied to Voice over Internet Protocol (VoIP) connections.
"When very few [businesses] were using VoIP, there was security through obscurity," said Michael Brandenburg, industry analyst at Mountain View, Calif.-based Frost & Sullivan Inc. "But there is much more of an opportunity for hacking and security breaches coming down the road as VoIP and SIP trunks replace the [public-switched telephone networks] PSTN -- and enterprises need to be aware of this change."
Technology and security measures to help prevent toll fraud
Toll fraud has been historically defined as obtaining unauthorized access to PBX resources and placing long-distance calls through the phone system while the service provider remains under the impression that the calls being placed are authentic. But VoIP fraud presents larger security implications than a large phone bill. Voice being transmitted as data could expose the enterprise network in ways that wasn't possible with PSTN lines that were physically separated from the enterprise network. As a result, IT organizations must protect voice traffic at the network edge. Enterprise session border controllers (E-SBCs) are the first line of defense for enterprises, Brandenburg said.
Genband, a Frisco, Texas-based multimedia and cloud communications vendor, offers SBCs for service providers as well as enterprises. While PBX hacking and VoIP hacking aren't currently widespread problems for enterprises, they do exist, and Genband's customers have VoIP security on their radars, said Ashish Jain, director of solutions marketing for Genband.
"Our SBCs provide proper analysis of the call patterns and take proactive [steps] to alert and block [potential threats and exposures] at the right time. The enterprise SBCs provide active monitoring and adaptive security to prevent VoIP fraud," Jain said.
Like Genband, Cisco Systems also offers enterprise SBCs, but historically, it has also offered the ability to encrypt SIP signaling and media with its Unified Communications Manager to protect against eavesdropping or unauthorized access. Cisco also began rolling out new security measures for Jabber, its instant messaging client.
More on toll fraud:
Report: Mobile malware, toll fraud on the rise
VoIP security: Issues, training and best practices
VoIP toll fraud a growing concern
Building encryption and certificate-based authentication capabilities into communication tools by default is great for businesses that may have limited security resources and expertise. "If voice or video traffic is going out to the Internet, we need to make sure those streams are protected and not available to the wrong person," said Kevin Roarty, technical marketing engineer for Cisco's collaboration technology group. "This is giving peace of mind to enterprises starting to use VoIP and cloud services."
Firewalls and encryption won't stop every kind of threat, however. Many audio conference lines leave enterprises "flying blind," without the ability to see names or phone numbers that may have entered the conference without permission after obtaining a password fraudulently, Roarty said. Cisco's WebEx platform for voice and video conferencing offers visibility into who is on the call by providing roster functionality. Cisco also offers administrators the ability to drop unauthorized callers from the conference line and time-of-day routing that can deactivate portions of the dial plan after-hours, which is when toll fraud typically occurs.
Best practices for preventing toll fraud, VoIP hacking
Built-in security measures, tools and technology at the edge of the network will play a critical role in locking down VoIP traffic and preventing new versions of toll fraud. In addition, best practices for VoIP security must be followed by enterprise users.
"Businesses need to take a measured approach to deploying VoIP and follow best practices," Frost and Sullivan's Brandenburg said. "While we haven't seen a large-scale attack on VoIP yet, that doesn't mean people aren't trying."
VoIP phone vendor snom technology AG, headquartered in Berlin, Germany, offers encryption and authentication certificates on its phones, but enterprise IT organizations can't simply rely on technology for security, said Mike Storella, vice president of snom Americas.
Enterprises should also prohibit trivial or recycled passwords [in order] to keep any invalid users from logging in. "Hackers are getting in because enterprises don't set good passwords. Many default passwords on IP phones -- like '1234' -- are well known and never changed," Storella said.
Snom's phones can be locked down to give only authorized end users certain phone privileges and access, similar to an IT-issued corporate laptop with a limited set of features, he said. The company is also offering professional security auditing services for its IP phones to its value-added resellers and customers.
"For enterprises that are new to VoIP and might be a little leery, an audit can help [an organization] figure out if all the available security measures and encryption capabilities are turned on and all the passwords are set," he said.