Security Risk of VOIP
Virtual or Real?
As far back as February of 2005, the National Institute of Standards and Technology (NIST) cautioned federal agencies and large organizations, such as universities, to proceed with caution when considering making the switch from traditional telephones to Voice Over Internet Protocol (VOIP) since anything that is online is subject to security risks and issues. Was this just a fear of the virtual unknown, or was NIST's concern based on real-time issues?
Real enough to many, it seems. Take Sunbelt Software, who once upon a time, got socked with a huge phone bill showing a variety of long-distance calls to locales throughout the Middle East. It didn't take a genius to figure out that the company had been attacked by a phone phreak, a VOIP hacker who figures out how to get into a phone system through the helpful feature known as remote access.
Here's how it works: the phreaker, posing as the true user who just wants to check his voice mail, figures out your extension's password and sets things up so that inbound calls get forwarded to a different location. At this point, whenever the phreaker calls in, he can make calls to anywhere in the world and you end up with the charges on your bill.
In the case of Sunbelt Security, someone had really messed up: the unnamed, most likely former employee created the password to be the same number as the extension. As Stu Sjouerman, president of Sunbelt Software, put it, "That's just inviting disaster."
But an intruder making calls on your tab isn't the only security risk companies need take into account when making the switch to VOIP. VOIP makes it possible for a computer virus to stop your phones from working giving you a whole new class of security attacks to face. Most everyone is excited about VOIP as a new technology for voice communication, but not everyone realizes that the infrastructure is the same as the one that can attack your PC with viruses, worms, and Trojan horses (see: http://www.learn-source.com/vulnerabilities-in-computing.html).
But all this is putting the cart before the horse. There's no reason not to partake of this fantastic new technology. Just take some precautions, please. And, in fact, the precautions you need to take are no different than those you should be employing for traditional phone systems.
The main issue in protecting your system revolves around choosing a password. Many phone systems no longer allow predictable or repetitive passwords such as 123654, or 33333. You can also check to see if your phone system does the intelligent thing and locks out remote-access users if they punch in the wrong password several times running. Restrictions on long distance calling are yet another security measure you may wish to consider. "It's very easy to shut down particular country codes," Sjouerman said. "This can immediately limit your exposure to phone phreaking."