VoIP Security Penetration

Does your company host its own or use a third party VoIP system?  Do you use VoIP phones in your home or place of work?  Did you know VoIP Phone systems and SIP phones are susceptible to malicious penetration and fraud?  There are many advantages to VoIP, however as is usually the case, advantages bring risks.  VoIP security and penetration testing should be your first concern when implementing a VoIP or hybrid phone system.


Protect Your VOIP from Hackers

Voice over IP also known as VoIP, is the newest ‘toy’ on the street when it comes to keeping up with the times, lowering communication costs and communicating efficiently.  Unfortunately, the conveniences often associated with these PBXs cause many purchasers of these next generation phone systems to overlook the required security that these systems demand.  A VoIP system is essentially a server.  Just as every server needs to be secured and requires penetration testing to ensure it remains secure, a VoIP system does as well.  Just as VoIP technology is being implemented at a rapid pace, VoIP fraud is following suit at an equally fast pace!  At the current rate of VoIP fraud growth, 2013 is on track to triple the amount of fraud as compared to 2012.  A recent report from a watchdog group, the Australian Competition and Consumer Commission (ACCC) detailed over 83,000 fraud complaints in 2011. The fraud rate is nearly double the number of complaints from 2010, and quadruples the number from 2009.  Conveniences and economic savings that VoIP services bring to the market, clearly come along with risk.  U.K. based fraud management company, Revector, recently reported that some Telco’s are reporting net losses of $150 million per year in fraudulent VoIP calls.  VoIP penetration testing is essential to helping ensure your VoIP systems remain secure.

VoIP fraud is not just an issue for providers, it’s an issue for users!  VoIP fraud is a real, daily recurring reality.  VoIP fraud targets phones, phone systems, soft-phones and SIP boxes equally, and is a serious potential problem and liability.  Fine print in many contracts makes the end user responsible for the costs incurred by the fraudulent use of VoIP lines whether hacked via the soft phone or SIP box.

LionCageDefender.com’s service scans your IP address, seeks your VoIP system, and attempts to "hack" your VoIP devices just like a hacker would.  We then report back to you what vulnerabilities we discovered and how to fix them.

When a VoIP call is made, a request is sent to the VoIP System from the VoIP/SIP phone to the PBX (whether it is hosted or internal is irrelevant as just the path varies) the chart below explains the responses the system may provide.

INVITE Invite command is used to invite and account to participate in a call session.
ACK Ack command is used to acknowledge the INVITE request.
CANCEL The cancel command cancels a pending request.
REGISTER The register command is used to signin the user with a SIP server.
OPTIONS The option command prepares information about the options of a caller.
BYE The Bye command drops the VoIP session between two users in a call.
SUBSCRIBE The SUBSCRIBE command is used to request current state as well as updates.
NOTIFY The Notify command notifies the system of the status of the request.

When a VoIP or SIP line is hacked, it attempts to mimic a SIP phone by finding the VoIP system and then logging in using the standard commands.  Securing your VoIP system is essential.  Unlike other hacks, VoIP fraud can add up to tens of thousands of dollars (if not more) very quickly without anyone even realizing that fraud has occurred.  We have found that often VOIP systems are configured by non-security conscious techs just using the default user names and passwords, not realizing the risks involved, and that it is ESSENTIAL to change your username and/or passwords. Don’t risk your VOIP account getting hacked and manipulated!  For just $9.99 per month we will scan your VoIP lines, find their vulnerabilities, and report back to you with what we have found.

Below are some useful tips for securing your VoIP devices:
  1. Make sure that all default passwords for both VoIP phone PBX are changed.
  2. Disable ports and access to the system following multiple failed logins.
  3. Setup a notification alarm to notify an administrator of failed attempts.
  4. Ensure that entry to the VoIP system is secured with encrypted challenge/response authentication.
  5. Ensure that all VOIP system administration ports are on a secure subnet.
  6. Ensure remote access to PBX and Voicemail is configured with authentication.
  7. Ensure that system speed dialing is controlled by business need and not accessible and /or controlled by unsecured web interface
  8. Set and enforce standards for complex passwords for voice message mailboxes and SIP passwords.

As with any crime of opportunity, hackers are lazy. If they attempt to break into your VOIP system and run into the safeguards listed above, there is a good chance that they'll move on to an easier target. Signup today and help ensure your VoIP System remains secure.