The Shodan search engine has been described as the “scariest search engine on earth,” and with good reason: It is a search engine that helps hackers find vulnerable target devices. If you’ve ever wondered how hackers find computers, VoIP servers and Internet-of-Things devices to exploit, now you know.
Just as the Internet and the cloud have made communications easier, it also has in many ways made it less secure.
VoIP is no exception. Hackers can exploit VoIP for conversation eavesdropping/sniffing, default passwords discovery, hacked voicemail, identity spoofing, man-in-the-middle exploits, denial of service (DoS) attacks, toll fraud and Web-based management console hacks.
“While hackers are continually discovering new ways to attack VoIP systems, there are some established favorite approaches,” notes Bev Robb on the Dell (News - Alert) Power More blog. “Also known as ‘footprinting,’ these techniques rely on information that unsuspecting VoIP users make publicly available.”
With footprinting, hackers use information publically available online to gain an edge for hacking their VoIP target.
For instance, a hacker has hit gold when he finds write-ups such as this online: “He or she will also be responsible for integrating the SHORETEL VoIP system with CISCO VoIP,” as Robb has noted.
The takeaway is that businesses need to be more conscious of VoIP as a potential hacking target, and to take specific remedies to keep their communications safe in the digital age.
These include separating data traffic from voice traffic by creating two virtual VLANs, protecting the remote admin interface with a complex password and non-standard port, encrypting sensitive voice traffic using Secure Session Internet Protocol (SIPS) for protection from eavesdropping and tampering, applying physical and logical protection, creating user names that are different from their extensions, and keeping VoIP systems always up-to-date and patched.
Business also should limit calling by device, use encryption to secure calls, set strong security policies, utilize traffic analysis and deep packet inspection (DPI), and properly secure VoIP gateways. Further, using a strong voicemail 6-digit passcode or device certificate helps, as does deleting sensitive voicemail messages and removing mailboxes when employees leave the company.
As with all things digital, protecting against hacking should be a priority for businesses using VoIP.