Can your office phones be hacked?

Internet-connected work phones pose some of the same security risks as your computers — and a few more.

Your company likely invests in security systems for its PCs and laptops, and trains employees on BYOD safety.

But what about your office phones?

If you’re using a VoIP system, (and odds are you are), then it’s easy to forget that you’re not just dealing with regular phones, but a complex system full of security risks. Here’s an overview of the dangers and what you need to do to be prepared.

The threat landscape

If you’re happy with your internet-based phone system, you’re not the only one.

Hackers love VoIP. It was developed before broadband and modern cybersecurity threats. Though most providers now offer security, the service has traditionally lagged behind its computer-based peers in safety measures, and is scrambling to catch up.

Why would anyone want to hack into your phone system?

Perhaps you think your company is too small or low-profile to attract attention from hackers — but don't count on it. Hackers are like burglars: They aren’t necessarily looking for the richest house on the block, but the easiest to break into.

The internet makes it easy for them. Many hackers use Shodan, which has been described as “the world’s most dangerous search engine,” because it describes the IT characteristics and weaknesses of sites that can be hacked.

So what can you do to protect yourself?

Make sure your VoIP provider offers multiple layers of security. Here are some protocols your IT manager should ask about:

• Antivirus Protection: You wouldn’t let your computers run without it, and you should apply the same thinking to your phones.

• Password Authentication: The system uses passwords, and a user must input the correct one for the call to go through.

• Three-Way Handshake: Adds a third layer to the password system for more security.

• Secure Real-Time Transport Protocol (SRTP): Real time encryption of voice streams. This adds cost and can cause delays in transmission, but given the magnitude of the threat, it may be worth the tradeoffs.

• Transport Layer Security (TLS): Encrypts the types of messages that can lead to DoS attacks.

• Deep Packet Inspection (DPI): Blocks unauthorized incoming data packets.

• Session Border Controller (SBC): Guards the protocols that control voice calls, keeping them safe and ensuring high quality.

Besides installing security measures, you should regularly audit your VoIP system for suspicious activity and disallow calls to countries you don’t do business with.