Unified Communications Creates Security Holes

Today’s VoIP-enabled phones combine the features of a computer and a network router in one. The power and accessibility of these phones can be turned against them.

Researchers have found that an unprotected IP phone gateway will be found and broken into by hackers located anywhere in the world within a week. Research shows you can expect hackers to use your corporate network to rack up about $2,000 worth of fraudulent calls in just 8 hours–or half the time between the end of one workday and the start of the next one. That’s not just theory; it’s reality.

Enterprise customers hit by “toll fraud” tell experts that they lost on average between $10,000 and $20,000 per month. One company lost $200,000 in a single month due to unauthorized international calls, usually to premium 1-900 numbers such as phone sex lines that charge hefty per-minute fees and from which the hackers directly or indirectly earn a cut. Today’s unified communications (UC) networks mean that VoIP and SIP traffic runs over the same networks as your corporate data. That means that if you don’t take steps to secure your VoIP/SIP networks, you can make the latter vulnerable to malware and the hackers who create them.

For example, using a VoIP phone in a company lobby or public area, a hacker with the right skills and knowledge of open-source tools can gain entrance into the corporate data network. Exploiting all-too-common weak passwords, the hacker can gain access to confidential company information and customer information in a matter of several hours. Again, all of this can be avoided if enterprises take common-sense steps to secure their VoIP/SIP networks. But fail to do so and you expose other potential gaps. Just as hackers have extorted online retailers by threatening to disrupt their Web servers using mass denial of service (DoS) attacks, hackers can extort businesses by threatening to launch worker-crippling DoS attacks against UC networks. Or they can easily steal corporate information, either by eavesdropping on unencrypted VoIP conversations or by breaking into corporate servers.

The number of potentially unprotected pathways into your network is also growing, for two reasons:

  1. The rise of telecommuting and home-based workers (and their often-insecure home Wi-Fi networks
  1. The explosion in employees using tablets and smartphones at work, especially personally owned mobile devices.

To satisfy workers, companies are extending their VoIP and UC networks out to these endpoints. But in their rush, even healthcare and financial services organizations that operate under heavy security and privacy rules such as PCI DSS or HIPAA are often failing to create or enforce strong security policies protecting these remote outposts.

For example, a company may deploy a VoIP phone to a home office worker without forcing him or her to change the default “1234” access password. In that state, a hacker can easily take control of your phone, either to break into your main corporate network or use it for social engineering purposes. For example, the hacker could change your caller ID to “IT Support” and use it to start calling employees and asking for their login and password details.