The Flip Side of Using Cloud Telephony Services
By Sujan Thapaliya, CEO and Co-Founder, KrispCall
It is evident that VoIP will be the future of business communications. Historically, it has been difficult to predict whether a call would be reliably forwarded over the internet, but that problem is mostly gone now.
The versatility and adaptability of today’s VoIP platforms allow them to beat traditional landlines in competition. Additionally, they can be configured within minutes, and they come at a significantly lower cost than typical phone setup and maintenance. It’s not surprising that more than 60% of businesses have already migrated to VoIP from landlines.
There are many benefits associated with VoIP phone systems. From affordability to increased functionality, VoIP systems have become more popular because they make businesses run more smoothly and efficiently than traditional phone systems, which is why they have gained such popularity. While all of these benefits are important, one of the biggest downfalls of the technology is its lack of security.
It’s like a phone setup with calls not connected via a traditional phone line but rather over the internet. All internet-connected devices are exposed to hacking, which leaves them at least somewhat vulnerable. Therefore, your VoIP system is less important than your internet network when it comes to security.
Importance of VoIP Security
Are VoIP security concerns really as important as you think they are? The reality is that security breaches via phone systems present a pretty serious threat to everyone, even if you’ve never been a victim yourself.
More than half of businesses in 2018 had their phone numbers hacked through social engineering, a type of scam that disguises itself as a real call to obtain valuable information. In the year 2020, several well-known Twitter accounts were used to promote a cryptocurrency scam that amassed hundreds of thousands of dollars. Among the users were Barack Obama, Kim Kardashian, and Bill Gates.
VoIP security is crucial and cannot be overstated. Furthermore, VoIP technology relies on the web to make calls, so it is susceptible to attacks that target the web. A lax VoIP provider could leave your business open to serious security risks since 24% of Wi-Fi networks in the world lack encryption.
The situation actually deteriorates. The US is not ahead of the worldwide average when it comes to Wi-Fi networks without encryption, as 25% of all networks lack encryption worldwide. Especially if your business is based in Europe, the chances are very high (34% – 44%) that your network is not encrypted, so you should really pick a VoIP company like Krispcall that follows best practices.
Cloud Telephony Security Vulnerabilities
- Packet Sniffing and Black Hole Attacks
As the name suggests, packet sniffing is one of the most common VoIP attacks. With this attack, hackers may steal and log the information included in voice data packets as they travel.
Sniffers attempt to steal information by using packet drop attacks (often called black hole attacks) to prevent voice data packets from reaching their destinations, causing packet loss. By taking control of your router, packet sniffers deliberately drop packets into data streams, causing your network service to be much slower or to stop working completely.
Using packet sniffing, hackers can also collect sensitive data such as usernames, passwords, and credit card numbers.
Use a trusted VPN to send information over the internet to help make your lines more secure. Getting started and getting the system up and running takes some time, but it ensures the safety of information.
By encrypting all data end-to-end and monitoring their networks consistently, users can protect themselves against packet sniffing and black hole attacks. This alerts them to suspected login attempts, unusual devices, and so on.
- DDoS Attacks
According to a survey by Corero, approximately 70% of companies experience at least 20-50 DDoS (distributed denial-of-service) attacks per month.
Despite the fact that they are mostly unsuccessful, the main issue is that cybercriminals are now able to launch DDoS attacks much faster and cheaper with highly capable machines, special tools, and much higher bandwidth than they were previously. This puts businesses of all types and sizes at risk, including large institutions (like banks or enterprises).
During a DDoS attack, criminals use all the bandwidth of a server and overwhelm it with data. This allows hackers to temporarily or permanently interrupt a machine or network so that its users can no longer access it. The VoIP system cannot make or receive calls when that occurs.
However, that’s not all – in the worst-case scenario, the attacker might even gain access to the server’s admin controls.
- Vishing
Vishing uses VoIP to lure your attention, meaning that hackers pretend to be someone or something trusted in order to get sensitive information from you. Credit card numbers, passwords, and more are typically stolen.
Vishing hackers use caller ID spoofing to deliberately confuse potential victims, making their phone number and name appear legitimate. Your bank’s phone number may appear to be the number they call from, claiming your account has been compromised. They can also ask you to do a thing or two, promising to secure your account.
The IT department of the targeted agency should verify all phone requests, regardless of whether they look like they came from within the department. Additionally, agents need to be trained to refrain from disclosing sensitive information unless authorized by their supervisor.
The following signs may indicate a vishing attack:
- There is a great deal of urgency coming from the other end of the line.
- The hacker continuously requests that you provide the information to verify it.
- A call from a known number or an established company that you weren’t expecting
- On Caller ID displays, you may see short and unusual phone numbers.
- Weak Encryption Tools
Obviously, data packets carrying voice data must be encrypted from beginning to end in order to ensure that they cannot be intercepted during transmission. You might encounter this at your network, your ISP, or anywhere in between.
Due to the complexities of voice encryption and the fact that it varies depending on factors like the sensitivity of the voice data you send, this is not something that’s easy to understand. For this reason, Cisco has recommended some basic encryption best practices for its customers, including:
- Balance encryption costs with business-specific requirements while keeping costs low.
- SIP over TLS implementations in your switch fabric should be enabled by your vendor.
- Encrypting mobile device calls with VPNs when packet encryption protocols are not available (e.g., SRTP).
- A secure voice channel protected against eavesdropping during the transmission of packets over public networks.
Cloud security is threatened by APIs by their very nature. You can customize the features of the cloud to match your business needs. They also authenticate users, provide access, and take steps to encrypt data. A comprehensive protection strategy can provide you with all these benefits.
Using encryption is one way in which you can protect your data. Due to this, having a holistic approach to end-to-end encryption is important instead of focusing on both your vendor and network separately. You will be better prepared to handle any potential threats this way.
- VOMIT and SPIT
It may sound like a gross acronym, but VOMIT describes a serious threat to any business. Criminals can steal sensitive information and voice packets straight from calls by using a tool called “Voice over Misconfigured Internet Telephones.” In addition, they can also find out where the call originated, which they can use later in order to intercept everything you say.
The SPIT method consists of sending voicemails or automated calls several times a week. Because spammers have access to so many different tools, they can easily send many messages at once to several IP addresses or pretend to be local businesses when they are actually foreign companies.
If the call is answered, the recipient may end up being redirected to a very expensive phone number from another country, or the messages may contain viruses or spyware.
Is VoIP Secure to Use Then?
You might feel anxious to make internet calls for your business after reading about the risks and dangers of VoIP. The good news is that by learning some basic cybersecurity methods, you can ensure that your calls and data are secure.
- The most effective way to avoid hackers accessing your sensitive info is by encrypting it. Data or messages can still be intercepted, but they will be worthless to hackers with strong encryption.
- Make sure your VoIP platform’s various devices have strong, varied passwords.
- Maintain a security vulnerability testing program.
- Ensure that your tools are always up-to-date.
- Prepare your employees on what to do in the event of phishing attacks.
Conclusion
Currently, VoIP appears to be in a state of evolution, as no widely accepted general security solution seems to be available to address all the challenges it faces. So many methods have been suggested and evolved over the years; VPNs, for example, are good security options, though they sometimes have some shortfalls, such as affecting performance.
Even though VoIP has been the subject of huge amounts of research, more research is needed to identify ways to combat the numerous attacks without drastically decreasing the performance. VoIP over VPN and other already suggested approaches should also be considered.
About the Author
Sujan Thapaliya is the CEO and Co-founder of KrispCall. He has a wealth of computer, communications, and security experience. As well as years of experience in the industry, Sujan has also conducted investigative research into issues such as privacy and fraud. Through KrispCall, he aspires to make business communication safer, reliable, and more affordable. Sujan can be reached online at (sujan@krispcall.com and https://www.linkedin.com/in/sujanthapaliya) and at our company website https://krispcall.com/
Source: www.cyberdefensemagazine.com