Foregenix Blog

Jake Dennys

Is VOIP The Weak Link In Your Security Chain?

07/03/18 09:54

Voice Over Internet Protocol (VOIP) has recently become an interesting talking point in regards to PCI Compliance. If you aren’t taking the security of your VOIP seriously, you could be putting your entire organisation at risk; and could be liable for loss of cardholder data. It’s not as simple as just segmenting it away, there needs to be controls in place to prevent hackers from accessing that network segment among other security methods.

Before we delve too deep, lets cover some basics.

What is VOIP?

Voice Over Internet Protocol in simple terms, is a phone service delivered over the internet. If you have access to a fairly quick internet connection, you should be able to have a phone service delivered through said internet connection; rather than via a typical telephone company.

VOIP has introduced an alternative way of making phone calls that is often very cheap and sometimes even completely free. A report from Ibisworld Research showed that VOIP was the fastest growing technology of the past decade (at an incredible rate of 179,035%, compared to the number 2 slot which grew at 1,656%).

There are three ways you can make a VOIP call.

  • Utilising an Analog Telephone Adaptor (ATA): An ATA allows you to connect a standard phone to your computer. It takes the analog signal from your telephone and converts it into a digital signal for transmission over the internet connection.
  • IP Phones: They look just like normal phones, with a handset and buttons, but they have one big difference. They connect directly to your router and have all of the hardware necessary built in to make VOIP calls.
  • Computer to computer: This is probably the easiest method of making a VOIP call. There are a lot of companies offering free VOIP software, so all you need is a microphone, a computer, a sound card and an internet connection.

voip2-1.png

 

Security threats facing VOIP:

Unfortunately, just like any other internet connected service/device, VOIP calls are vulnerable to hacking. We will go into further detail on how to protect your environment later on, but for now lets look at the most common threats that affecting VOIP calls.

  • Eavesdropping: Through eavesdropping, hackers are able to obtain sensitive information and important credentials such as names, passwords, phone numbers and most importantly, credit card information. There are a large number of nodes on the path between the two communicating entities; if an attacker compromises one of these nodes, they’re able to access the IP packets flowing through said node. There are tools available that allow them to save the conversations and play them back on a computer.
  • Vishing: Vishing, as you can probably guess, is VOIP’s answer to phishing. It often involves a third party calling you pretending to be a trusted organisation (like a bank or building society) requesting sensitive information.
  • Malware: VOIP software is vulnerable to malware. They run on PC’s just like other applications and thus can be exposed to viruses and other malicious code.
  • Denial of Service: By flooding the target with unnecessary call-signalling messages, an attacker can cause the service to significantly degrade. This can cause a call to drop before intended and will halt call processing.
  • Man-in-the-middle attacks: VOIP is especially susceptible to man-in-the-middle attacks. The malicious actor can intercept call-signalling message traffic and pretend to be the called party. Once the attacker is in this position they can hijack calls via a redirect server.

Well, why use a VOIP service then?

Generally speaking there are two main reasons for using a VOIP service: lower cost and increased functionality. Aside from making phone calls, you can also conduct video-conferences; bringing a new dimension to client interaction.

How to protect your VOIP:

  • Deploy configured firewalls: By utilising a properly configured firewall and intrusion prevention system, you can monitor and filter malicious VOIP traffic and track unusual voice activities.
  • Segment your VOIP from the rest of the network: Alongside logically separating the VOIP from the rest of the network, you should implement access controls such as two-factor authentication for administration access. Don’t forget that physical segmentation is an important factor when keeping your data safe. Take the time to physically lock VOIP servers away. Closely monitor your VOIP segment and generate alerts any time a device is plugged in or unplugged.
  • Ensure all software and operating systems are up-to-date: Exploits and vulnerabilities are readily available for software running older versions. If your software isn’t updated, it’s likely an attacker will be able to access your systems with relative ease. To give you an example of out of date software, our research shows that 86% of Magento based websites running out of date software could be hacked in under an hour. Whilst this isn’t exactly the same as hacking VOIP calls, the principal remains; install updates.
  • Install Anti-Virus software and keep it updated: Anti-Virus software is useless if you don’t keep it updated. New malware strains are being created all the time and if your Anti-Virus isn’t kept updated, new attack vectors won’t be detected.
  • Apply encryption methods: Be sure when encrypting the voice traffic that you’re not just encrypting indiscriminately. Doing so could result in network latency. Instead, try to apply encryption by segment, device, or user. Encrypt the signalling at your internet gateway using SIP (Session Initiation Protocol) over TLS (Transport Layer Security) and encrypt media packets with protocols such as SRTP (Secure Real-time Transport Protocol).

With VOIP becoming a rising trend among businesses, it’s only a matter of time before we see a large-scale breach. Keeping financial data safe is the back bone of PCI compliance, but we are seeing a paradigm shift with the introduction of GDPR; which puts personally identifiable information in the spotlight. If you’re a business that operates VOIP, you’ll need to bare this new regulation in mind when considering what topics you discuss during the call.

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
10/09/18 11:37

Using a hosted payment page? This is why you still need to secure your website.

Many companies that host payment pages will boast of their ability to securely process payments. Whilst this may be true, it does not mean that your ...

Read More

Jake Dennys
22/08/18 13:25

Foregenix to join the PCI SSC Global Executive Assessor Roundtable.

We're proud to consider ourselves one of the industry leaders in the cybersecurity arena, and we are constantly striving to share our knowledge with ...

Read More

Akash Sharma
22/08/18 10:50

FGX-Web gets a fresh new look!

FGX-Web gets a fresh new look! Initially, FGX-Web was created to aid our Forensic Analysts in conducting investigations following a data breach. ...

Read More

Jake Dennys
16/08/18 17:12

What can a Website Security Health Check provide you?

Everyday there's another data compromise. Check the news, big breaches are happening all the time - and that's just the high profile ones. It's the ...

Read More

Kirsty Trainer
15/08/18 14:39

P2PE - What are the benefits to retail merchants?

Point-to-Point-Encryption, known to most as P2PE is a standard that is quickly becoming the preferred way for acquirers and merchants to secure ...

Read More