Can your office phones be hacked?

by Teresa Meek

Summary

Overview of the dangers of using a VoIP system, and what you need to do to be prepared.

Read time: 4 minutes

Internet-connected work phones pose some of the same security risks as your computers — and a few more.

Your company likely invests in security systems for its PCs and laptops, and trains employees on BYOD safety.

But what about your office phones?

If you’re using a VoIP system, (and odds are you are), then it’s easy to forget that you’re not just dealing with regular phones, but a complex system full of security risks. Here’s an overview of the dangers and what you need to do to be prepared.

The threat landscape

If you’re happy with your internet-based phone system, you’re not the only one.

Hackers love VoIP. It was developed before broadband and modern cybersecurity threats. Though most providers now offer security, the service has traditionally lagged behind its computer-based peers in safety measures, and is scrambling to catch up.

Why would anyone want to hack into your phone system?

It’s surprisingly easy for hackers to listen in on your calls and record them to spy on your company. Once in, they can gain control of your mailbox, call forwarding, and caller ID to launch more complex attacks.

For hackers

For hackers, it can be a gold mine. Here’s just a partial list of things they can do:

Eavesdropping or Sniffing: It’s surprisingly easy for hackers to listen in on your calls and record them to spy on your company. Once in, they can gain control of your mailbox, call forwarding, and caller ID to launch more complex attacks.
Vishing (voice phishing): The hacker makes a recorded call purporting to be from a source you trust — your bank, for example — to get you to divulge account information.
Caller ID Impersonation: The hacker steals the caller ID number of your bank and makes a live call using it, asking you to “verify” financial information.
Call Fraud, Toll Fraud, or Spam over Internet Technology (SPIT): Very lucrative for a hacker, who taps into your VoIP line and uses it to make high-volume spam calls to foreign countries.
Denial of Service (DoS) Attack: The hacker floods your server with data, using up bandwidth. A DoS attack can cause your connection to deteriorate or be shut off completely.
Inserting Viruses and Malware: Just like office computers, your internet phones are vulnerable to programs that can track keystrokes, destroy information or instruct the phone to make spam calls.

Perhaps you think your company is too small or low-profile to attract attention from hackers — but don't count on it. Hackers are like burglars: They aren’t necessarily looking for the richest house on the block, but the easiest to break into.

The internet makes it easy for them. Many hackers use Shodan, which has been described as “the world’s most dangerous search engine,” because it describes the IT characteristics and weaknesses of sites that can be hacked.

So what can you do to protect yourself?

Make sure your VoIP provider offers multiple layers of security. Here are some protocols your IT manager should ask about:

Antivirus Protection: You wouldn’t let your computers run without it, and you should apply the same thinking to your phones.
Password Authentication: The system uses passwords, and a user must input the correct one for the call to go through.
Three-Way Handshake: Adds a third layer to the password system for more security.
Secure Real-Time Transport Protocol (SRTP): Real time encryption of voice streams. This adds cost and can cause delays in transmission, but given the magnitude of the threat, it may be worth the tradeoffs.
Transport Layer Security (TLS): Encrypts the types of messages that can lead to DoS attacks.
Deep Packet Inspection (DPI): Blocks unauthorized incoming data packets.
Session Border Controller (SBC): Guards the protocols that control voice calls, keeping them safe and ensuring high quality.

Besides installing security measures, you should regularly audit your VoIP system for suspicious activity and disallow calls to countries you don’t do business with.

Keep your business and critical information secure...

Take measures to ensure your phone communication is as safe as...

Learn about Cloud VoIP Services

Recommended for you

Defining Hacking & 11 Essential Hacking Terms

What is hacking? Learn about hacking threats and 11 essential hacking terms to protect your data, your business & your employees against cyberattacks.

Data Risk Assessment Checklist

Learn how to conduct a content risk assessment, identify critical data that is exposed and put a plan in place to avoid security breaches.

Digital Forensics for Kramon & Graham

Learn how Ricoh's Digital Forensics Services helped Kramon & Graham recover $8.5 million through a default judgment, prove data wiping and spoliation of ESI.