Here’s something to add to your anxiety closet. We are starting to hear reports of libraries whose VoIP telephone systems have been hacked. Many of us — especially if we’re old enough to remember rotary dial phones — don’t give much thought to phone security beyond being careful about what we tell people over the phone. But Voice over IP phones are actually internet devices and, like just about everything else connected to the internet, they can be hacked. All of the articles linked below contain suggestions for protecting your phone system from attacks. Of course, some of the suggestions include buying their products, but most are sound advice.
- The forgotten security frontier: How secure are your phone calls? (Techseen | Mykola Konrad) “In the late 1990s and early 2000s, a lot of companies were part of a massive Voice over IP (VoIP) revolution that quietly moved most wired and wireless communications onto IP-based networks through a protocol known as SIP (Session Initiation Protocol). Most consumers weren’t even aware of the change. Prices did get cheaper, phone quality was initially an issue for some of the early adopters, but today it’s nearly impossible to tell the difference between a voice call that traverses the Internet and one that runs over a private network. But here’s the problem: the changeover was so subtle, many people kept thinking of their phone as a device connected to a private network, rather than one connected to the public Internet.”
- Hello, you’ve been compromised: Upward attack trend targeting VoIP protocol SIP (IBM’s Security Intelligence | Michelle Alvarez) “Because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service. VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort. This enables attackers to obtain information or facilitate additional scams against their targets.”
- How vulnerable is your SIP? (No Jitter | Andrew Prokop) “I won’t ask for a show of hands, but how many of you log into your SIP phones with a password identical to your extension? If not that, how many of you use ‘1234’? Unfortunately, I come across both all the time. Sometimes these inadequate passwords are due to a lack of understanding of just how dangerous they are, but it’s often the fault of the communications system itself. I don’t want to name names, but I know of some really big communications products that do not provide their VoIP users with an easy way to change the passwords on their endpoints.”
- Call analytics & reporting — How to prevent and detect toll fraud (Comms Trader | Paul Newham) “The problem with VoIP toll fraud is, once a single extension has been hacked, it can easily be used to replicate extra channels, so fraudulent use multiplies very quickly. Huge bills can be run up very quickly, and not only that, the criminals can access sensitive information, such as contacts directories and personal or customer details left on recorded calls.”
Articles from Ohio Web Library:
- VoIP security — Attacks and solutions. (Information Security Journal: A Global Perspective, May 2008, p.114-123 | Santi Phithakkitnukoon, Ram Dantu and Enkh-Amgalan Baatarjav)
- Intrusion detection in voice over IP environments. (International Journal of Information Security, June 2009, p.153-172 | Yu-Sung Wu, Vinita Apte, Saurabh Bagchi, Sachin Garg and Navjot Singh)
- Return of the phone phreakers: Business communications security in the age of IP. (Security: Solutions for Enterprise Security Leaders, April 2011, p.50-52 | Adam Boone)
