Ainsley Jones discusses how more companies are turning to Voice over Internet Protocol (VoIP) as their phone service. I can see why – it saves money on what is typically a major expense.
However, news of a hacker pleading guilty to making over $1 million by selling VoIP minutes and routing them through telecommunications companies is a good reminder that, like anything that involves the Internet and communications, VoIP comes with security risks.
A white paper from McAfee Labs stated that in 2006, there were less than 20 vulnerabilities in VoIP. That number has tripled in the past three years.
McAfee lists a number of security issues with VoIP that range from protocol-level attacks like eavesdropping:
“Eavesdropping attacks can occur because the media transport protocol that carries the conversation lacks encryption in many default configurations. This is the case when using RTP as the media transport layer. For a superior solution, you should use secure RTP (SRTP), which provides both encryption and authentication”
to application-level attacks like vishing:
“We have long verified personal information by phone, and we’re generally accustomed to trusting that the callers are who they claim to be. With traditional phone calls we can often track a caller to a physical location and we often rely on caller ID to provide identification. With VoIP these safeguards are gone. Calls can come from anywhere on the Internet and the caller-ID verification can easily be spoofed. Cybercriminals are now exploiting this anonymity using ”vishing” techniques, the combination of VoIP and caller-ID spoofing. Much like phishing, a vishing attack often looks like a financial institution that is asking for personal information such as credit card and social security numbers. We have seen reports of a few of these attacks. In one recent example an email appeared to be from a bank and offered a local VoIP number for contact. Because the number was local, it added legitimacy to the email. With caller IDs so easily spoofed and VoIP numbers so easily created, we anticipate there will be many more of this type of social engineering attack.”