Story image

The perils of VoIP

01 Dec 2010

You may be confident that your computer system is secure from intruders, but have you ever thought about your phones?
More businesses are switching to internet-based, or VoIP, services these days and many don’t realise that VoIP systems, if not properly secured, can be hacked. "Once you’ve got access to the company’s network, then you can often eavesdrop on phone calls, harvest voicemail, make free calls; you can even impersonate people,” says John McColl, consultant for
The easiest way into a company’s VoIP phone system for a hacker, is through the port used by the session initiation protocol (SIP) to initiate calls. That port, numbered 5060, is the one hackers look for and if it is left open, it’s tantamount to inviting them in.
The most common form of abuse of hacked VoIP systems comes through premium (especially long-distance) phone calls. Businesses often don’t discover these intrusions until they receive their phone bill. Australian network companies have told of clients getting bills for $100,000 worth of unauthorised calls placed over compromised VoIP servers. Access codes are also fetching big money on the black market; a single code can be on-sold numerous times, at around $US100 a pop.
But the potential for industrial espionage through phone hacking is obvious. "If I wanted to find out trade secrets I’d hack your VoIP,” says McColl. Imagine the damage that could be done if a hacker tapped into an important meeting being conducted by audio or video conference.
Such hacking could even compromise a building’s security. The hacker could call the security desk, telling the guard to let certain people in. The guard sees only the extension name and number of the caller, which looks genuine because the hacker has logged into the system as a legitimate user.
Skype calls are generally encrypted, so they don’t pose such a big security risk, but open source systems like Asterisk need special protection. ‘Soft phones’ that work through PCs are another point of vulnerability.
To protect your phone system, you need a complete strategy. If staff are required to enter a password or PIN number to make their phones work, make sure they are not easy to guess (some businesses just leave the extension number as the PIN).
To protect Port 5060, your server’s firewall needs to know who has access to it. Your VoIP service provider should be the only authorised user. An added protection is to give your provider each individual phone’s media access control (MAC) address (this is usually printed on the back of the phone).

50 million tonnes of e-waste: IT faces sustainability challenges
“Through This is IT, we want to help people better understand the problem of today’s linear “take, make, dispose” thinking around IT products and its effects like e-waste, pollution and climate change."
Vocus & Vodafone unbundle NZ's fibre network
“Unbundling fibre will provide retail service providers with a flexible future-proofed platform regardless of what tomorrow brings."
IDC: A/NZ second highest APAC IoT spenders per capita
New IDC forecast expects the Internet of Things spending in Asia/Pacific excluding Japan to reach US$381.8 Billion by 2022.
Xero launches new data capture product in NZ
“Data automation is the fastest growing app category on the Xero app marketplace so we know there is a hunger for these types of tools."
Security flaw in Xiaomi electric scooters could have deadly consequences
An attacker could target a rider, and then cause the scooter to suddenly brake or accelerate.
Four ways the technology landscape will change in 2019
Until now, organisations have only spoken about innovative technologies somewhat theoretically. This has left people without a solid understanding of how they will ultimately manifest in our work and personal lives.
IDC: Top 10 trends for NZ’s digital transformation
The CDO title is declining, 40% of us will be working with bots, the Net Promoter Score will be key to success, and more.
Kiwi partner named in HubSpot’s global top five
Hype & Dexter is an Auckland-based agency that specialises in providing organisations with marketing automation solutions.