The previous installment in this series discussed analog telephone threats commonly overlooked in business environments. In this second installment, focus is directed to digital and VoIP phone system threats. While threats like packet capture of VoIP traffic may be obvious, we are going to highlight some less-complicated threats that are easily addressed, providing a large security benefit.
ACCESS TO PROGRAMMING
Physical access is usually the first step in threat analysis, which to summarize from our previous article, businesses need to be aware of who has access to their network, both digitally and physically. Examples range from employee or vendor accessibility to switch rooms containing networking hardware, to the point of entry where the telecom provider’s wiring ends and the business’ begins.
The next step is understanding how the network and telecom systems are designed. Because digital and VoIP phone systems are network-centric, properly securing them requires working alongside network and system administrators. Understanding the structure of a network is necessary to provide beneficial security solutions.
Modern phone systems are managed through web applications running locally on the phone server(s) and as simple as it sounds, passwords used to access these systems present a considerable security threat. A phone system security audit should include these questions:
- Who has access to the passwords?
- Were the default usernames and/or passwords changed?
- How strong a password does the business require for these systems?
These questions are basic; but humans are creatures of habit and convenience. This is sometimes demonstrated in password habits. A recent study by TeleSign suggests 73% of user’s online accounts are guarded by duplicate passwords, meaning if a eavesdropper can access one, they can access multiples. In a business environment, this number is presumably lower, but still remains an issue especially for smaller departments that are stretched thin or overwhelmed. Once access to the administration portal is gained, there are many tasks that can be done to help steal information or disrupt business operations.
In early 2013, researchers at Columbia University demonstrated the ability to use malicious code to hijack a popular brand VoIP business phone. The exploit allowed them to initialize the handset microphone without the end user being made aware while the phone continued working as expected. Exploiting a VoIP phone system requires advanced knowledge in networking and programming, but the researchers proved that it was possible and as more VoIP phones come to market and additional exploits are discovered, I.T. and security professionals must be diligent to address and secure their devices. Keeping firmware updated is another necessity to keep security patches current. Vulnerabilities can run indefinitely until the threat is discovered, the firmware is upgraded, or the phone is removed from service.
HOW TO SECURE
One of the best ways to secure digital and VoIP systems is to educate the principals on what vulnerabilities exist, the implications if vulnerabilities are exploited, and how security procedures should be improved. Unfortunately, security and convenience most times are opposing goals, and every business must decide how far they are willing to go to keep their information secure. Here are some recommendations to lower the risk of digital and VoIP phone system threats.
- Require employees to use more difficult and regularly-changing passwords.
- Implement routine inspections of all network and demarcation points making sure only specific employees can access them.
- Limit remote access to the network system.
- Stay current on updated firmware of all telecom devices.
These changes may be uncomfortable at first for employees, but if the leadership is committed to improving security and understands the threats, then the rest of the business will soon follow.
If there is suspicion a VoIP device is broadcasting unauthorized information, security professionals can utilize REI’s telephone and line analyzer product known as the TALAN™. With built-in VoIP testing capability, the TALAN collects packet information such as source and destination network addresses, header types, and packet statistics. This information helps determine if a device is passing data it should not be and whether the device is threat. Additionally, the TALAN offers advanced filtering and external data collection to USB or compact flash, giving security professionals the ability to perform further in-depth analysis and reporting.
Telecom security is a growing concern, but many security professionals may struggle to keep updated with telecom systems due to the amount of networking knowledge required. However, being able to identify potential threats and recommend procedures to reduce risk provides large security benefits while gaining trust and respect for the security professional.