The New Security Risk of VoIP

They have their networks locked tight, their data hidden behind firewalls and their e-mail scanned by virus protection software. But too many IT managers and security officers overlook a crucial security risk: the telephone system. As voice over IP (VoIP) setups become more common within enterprises, the risk of compromise of phone services is on the rise.

"When it comes to telephone systems, we're so comfortable that when a security breach occurs, it's like being punched by someone you love -- you're just not expecting it," Jim Puchbauer, director of marketing at AltiGen Communications, told the E-Commerce Times.

Phreaked Out

Theft by phone is not a new concept, but as corporate phone systems become more computerized and complex, thieves are finding additional ways of abusing unsuspecting firms.

One case in point is Sunbelt Software, which once found itself facing a sky-high phone bill that showed long-distance calls to locations all over the Middle East. The company was a victim of phone phreaking, in which an intruder gains access to a phone system through its remote access features.

By posing as a legitimate user checking voice mail, the intruder can guess an extension's password and then forward inbound calls placed to that extension to another location. The next time the phreaker calls in, he or she can dial out to anywhere in the world -- with the victim picking up the tab.

"Someone had a password that was set to the same number as their extension number," Stu Sjouerman, president of Sunbelt Software, told the E-Commerce Times. "That's just inviting disaster."

The perpetrator then found a way to dial out from Sunbelt's offices, running up thousands of dollars in long-distance charges.

Down for the Count

Add a VoIP phone system to the picture, and companies face an even greater array of threats.

"This is the first time that a computer virus can stop your telephones from working," Mark Lobel, a senior manager at PricewaterhouseCoopers, told the E-Commerce Times. "There is a whole new class of attacks that can occur.

"The essence of the problem is that everyone is looking at this as a new technology for voice -- the way we're sending voice communications is absolutely new," Lobel added. "But the data is still riding on the same infrastructure that was pounded by recent problems like SoBig."

Cutting the Lines

To protect both traditional and IP-based phone systems, companies first must evaluate their existing security measures. At the top of the list is password management. Many phone systems do not allow users to choose passwords that are predictable or repetitive, such as 12345 or 22222. Ideally, phone systems also should lock out remote-access users if the wrong password is entered multiple times, Puchbauer said.

Phone system administrators also should restrict users' abilities to make long-distance calls.

"It's very easy to shut down particular country codes," Sjouerman said. "This can immediately limit your exposure to phone phreaking."

Puchbauer also recommends that phone administrators require users dialing into the system from a remote location to enter an account code before dialing long-distance.

By taking similar precautions to the ones mentioned above, Sunbelt has avoided another telephone break-in. The company has locked down multiple country codes and has instructed its carrier to alert Sunbelt when "strange calls go out at strange hours," Sjouerman said.

Casting a Wide Net

Still, the enterprise world is far from inoculated against phone-based security threats.

"When it comes to voice over IP, plenty of companies out there are not doing the blocking and tackling," PricewaterhouseCoopers' Lobel noted. "Those that have been burned are taking security measures. But most others are not. And there is no reason to think that because voice over IP runs over the same platforms that are currently affected by viruses, worms and hackers that the situation [with VoIP systems] is going to be any different."

Indeed, to keep VoIP systems up and running, companies must make their protection a standard element of an overall security plan.

"You have to determine what your threats and vulnerabilities are," Lobel said, "and then you have to make VoIP a standard part of the patching process.

"In fact," he added, "you should probably consider the risk associated with VoIP systems to be as high as the threats to your organization's most sensitive data. If someone in your IT department gets paged when your firewall goes down, they should also be paged when 40 new voicemail boxes mysteriously appear on your IP system."

In the final analysis, although VoIP can present more risks than traditional phone service, it still is worth the hassle, according to Lobel.

"There are clear economic benefits to voice over IP," he said. "New features and benefits are coming online every day. Really, the future capabilities of the service are limited only by your imagination."