Voice Over Internet Protocol (VOIP) has recently become an interesting talking point in regards to PCI Compliance. If you aren’t taking the security of your VOIP seriously, you could be putting your entire organisation at risk; and could be liable for loss of cardholder data. It’s not as simple as just segmenting it away, there needs to be controls in place to prevent hackers from accessing that network segment among other security methods.
Before we delve too deep, lets cover some basics.
What is VOIP?
Voice Over Internet Protocol in simple terms, is a phone service delivered over the internet. If you have access to a fairly quick internet connection, you should be able to have a phone service delivered through said internet connection; rather than via a typical telephone company.
VOIP has introduced an alternative way of making phone calls that is often very cheap and sometimes even completely free. A report from Ibisworld Research showed that VOIP was the fastest growing technology of the past decade (at an incredible rate of 179,035%, compared to the number 2 slot which grew at 1,656%).
There are three ways you can make a VOIP call.
- Utilising an Analog Telephone Adaptor (ATA): An ATA allows you to connect a standard phone to your computer. It takes the analog signal from your telephone and converts it into a digital signal for transmission over the internet connection.
- IP Phones: They look just like normal phones, with a handset and buttons, but they have one big difference. They connect directly to your router and have all of the hardware necessary built in to make VOIP calls.
- Computer to computer: This is probably the easiest method of making a VOIP call. There are a lot of companies offering free VOIP software, so all you need is a microphone, a computer, a sound card and an internet connection.
Security threats facing VOIP:
Unfortunately, just like any other internet connected service/device, VOIP calls are vulnerable to hacking. We will go into further detail on how to protect your environment later on, but for now lets look at the most common threats that affecting VOIP calls.
- Eavesdropping: Through eavesdropping, hackers are able to obtain sensitive information and important credentials such as names, passwords, phone numbers and most importantly, credit card information. There are a large number of nodes on the path between the two communicating entities; if an attacker compromises one of these nodes, they’re able to access the IP packets flowing through said node. There are tools available that allow them to save the conversations and play them back on a computer.
- Vishing: Vishing, as you can probably guess, is VOIP’s answer to phishing. It often involves a third party calling you pretending to be a trusted organisation (like a bank or building society) requesting sensitive information.
- Malware: VOIP software is vulnerable to malware. They run on PC’s just like other applications and thus can be exposed to viruses and other malicious code.
- Denial of Service: By flooding the target with unnecessary call-signalling messages, an attacker can cause the service to significantly degrade. This can cause a call to drop before intended and will halt call processing.
- Man-in-the-middle attacks: VOIP is especially susceptible to man-in-the-middle attacks. The malicious actor can intercept call-signalling message traffic and pretend to be the called party. Once the attacker is in this position they can hijack calls via a redirect server.
Well, why use a VOIP service then?
Generally speaking there are two main reasons for using a VOIP service: lower cost and increased functionality. Aside from making phone calls, you can also conduct video-conferences; bringing a new dimension to client interaction.
How to protect your VOIP:
- Deploy configured firewalls: By utilising a properly configured firewall and intrusion prevention system, you can monitor and filter malicious VOIP traffic and track unusual voice activities.
- Segment your VOIP from the rest of the network: Alongside logically separating the VOIP from the rest of the network, you should implement access controls such as two-factor authentication for administration access. Don’t forget that physical segmentation is an important factor when keeping your data safe. Take the time to physically lock VOIP servers away. Closely monitor your VOIP segment and generate alerts any time a device is plugged in or unplugged.
- Ensure all software and operating systems are up-to-date: Exploits and vulnerabilities are readily available for software running older versions. If your software isn’t updated, it’s likely an attacker will be able to access your systems with relative ease. To give you an example of out of date software, our research shows that 86% of Magento based websites running out of date software could be hacked in under an hour. Whilst this isn’t exactly the same as hacking VOIP calls, the principal remains; install updates.
- Install Anti-Virus software and keep it updated: Anti-Virus software is useless if you don’t keep it updated. New malware strains are being created all the time and if your Anti-Virus isn’t kept updated, new attack vectors won’t be detected.
- Apply encryption methods: Be sure when encrypting the voice traffic that you’re not just encrypting indiscriminately. Doing so could result in network latency. Instead, try to apply encryption by segment, device, or user. Encrypt the signalling at your internet gateway using SIP (Session Initiation Protocol) over TLS (Transport Layer Security) and encrypt media packets with protocols such as SRTP (Secure Real-time Transport Protocol).
With VOIP becoming a rising trend among businesses, it’s only a matter of time before we see a large-scale breach. Keeping financial data safe is the back bone of PCI compliance, but we are seeing a paradigm shift with the introduction of GDPR; which puts personally identifiable information in the spotlight. If you’re a business that operates VOIP, you’ll need to bare this new regulation in mind when considering what topics you discuss during the call.