Phone hacking blitz hammers UK.biz's poor VoIP handsets

Thinly-veiled advert?

I agree that sysadmins should remember to include VoIP in their assessment of network security etc. However, I'm afraid I'm always going to be sceptical of a company-produced "study" which essentially ends in an advert where they tell you that the same company just so happens to sell a product which can help solve $problem_covered_in_report

Brute forcing passwords should be almost impossible if people used proper passwords for such important systems. You would think people would have learnt this by now.

When we provide a company with Voip, all International/premium dialing is disabled. We require a signed disclaimer if they want to allow this on certain extensions, and we also only allow a couple of Group Admins (once they have been adequately trained). A number of times customers have been hacked, and on each occassion they try to blame us.

SIP trunking is to blame. This service puts responsibility into the hands of the customer and as a result fraud is running rampant.

Yes, it may be possible to secure as a previous comment suggested but this only goes to show that SIP trunks are insecure by design. I know of at least 3 Linx member companies that have had their SIP hacked, surely they can secure this stuff easily? Last week I heard of another tech company with a 50,000 pound hack.

The Register has published several home grown style articles suggesting companies should use a PBX with VoIP. Best not do this. Hosted environments are the way to go from a company that supplies a phone with secure provisioning.

Always ask your provider what your limit of risk is and if you don't like the answer ditch them.

As above, all extensions should have loooong random passwords - after all, other than when setting up extensions (softphones), there is no need for a human to ever even see it let alone type it. If you can remotely provision your phones then all the better.

Block all connections at the firewall except for specific known ranges (eg your provider, specific home users*). If you don't then I'll agree that you WILL be subjected to at least one persistent brute force attack - maybe even multiple ones from multiple attackers at the same time as I've seen in the past. A single attack may be megabits of traffic, and thousands of registration requests, per second.

Interestingly, once an attack has started, some of them do not stop when they stop getting replies. When I read up on this, it seems that one of the tools they use is buggy and keeps going on and on and on ... for days/weeks !

Yes, I've been ramping up security over the years at work !

* Better still, block all external traffic and use something like port knocking to allow access as required. I believe this is supported as standard by PBX in a Flash.

VoIP is not bad, it's how you deploy it

These issues are not the fault of VoIP itself, the public internet is a dangerous place for any form of communication if unprotected - but with adequate protection it's a fantastic medium to use.

It is the lack of awareness and understanding of these risks, as well as the reticence of those offering VoIP to address the insecurities openly that ensure the criminals have these targets to compromise, and therefore a lucrative revenue stream waiting to be plundered !

In my role at an ITSP I have seen examples of the issues mentioned in the article many times - especially, as mentioned, the steady rise of eavesdropping of calls. However as an organisation that is campaigning for more awareness and for secure VoIP to become the norm we provide solutions for these issues.

As the article highlights, UK businesses are experiencing a surge of attacks aimed specifically against Voice over IP systems. These attacks include toll fraud, service abuse and most recently, eavesdropping. This knowledge raises the question, why aren’t businesses implementing security alongside VoIP?

For many UK SMEs it quite simply comes down to cost. These businesses are using VoIP to save money on calls and hardware, but having to implement expensive security defeats the point.

However, what many UK’s SMEs aren’t aware of is that, in this environment, security doesn’t have to be costly. With freemium SIP trunk security solutions increasingly available for quick and easy deployment on a SaaS basis, SMEs can help to secure their VoIP as well as providing the foundation for a future-proof defence-in-depth model that spans both voice and data networks.

Paul German, CEO, VoipSec