hand dialing keypad on phone

Can your office phones be hacked?

by Teresa Meek


Overview of the dangers of using a VoIP system, and what you need to do to be prepared.

Time: 4 minute read

Internet-connected work phones pose some of the same security risks as your computers — and a few more.

Your company likely invests in security systems for its PCs and laptops, and trains employees on BYOD safety.

But what about your office phones?

If you’re using a VoIP system, (and odds are you are), then it’s easy to forget that you’re not just dealing with regular phones, but a complex system full of security risks. Here’s an overview of the dangers and what you need to do to be prepared.

Explore our content library

The threat landscape

If you’re happy with your internet-based phone system, you’re not the only one.

Hackers love VoIP. It was developed before broadband and modern cybersecurity threats. Though most providers now offer security, the service has traditionally lagged behind its computer-based peers in safety measures, and is scrambling to catch up.

Why would anyone want to hack into your phone system?

​​It’s surprisingly easy for hackers to listen in on your calls and record them to spy on your company. Once in, they can gain control of your mailbox, call forwarding, and caller ID to launch more complex attacks.

For hackers, it can be a gold mine. Here’s just a partial list of things they can do:

  • Eavesdropping or Sniffing: It’s surprisingly easy for hackers to listen in on your calls and record them to spy on your company. Once in, they can gain control of your mailbox, call forwarding, and caller ID to launch more complex attacks.
  • Vishing (voice phishing): The hacker makes a recorded call purporting to be from a source you trust — your bank, for example — to get you to divulge account information.
  • Caller ID Impersonation: The hacker steals the caller ID number of your bank and makes a live call using it, asking you to “verify” financial information.
  • Call Fraud, Toll Fraud, or Spam over Internet Technology (SPIT): Very lucrative for a hacker, who taps into your VoIP line and uses it to make high-volume spam calls to foreign countries.
  • Denial of Service (DoS) Attack: The hacker floods your server with data, using up bandwidth. A DoS attack can cause your connection to deteriorate or be shut off completely.
  • Inserting Viruses and Malware: Just like office computers, your internet phones are vulnerable to programs that can track keystrokes, destroy information or instruct the phone to make spam calls.

Perhaps you think your company is too small or low-profile to attract attention from hackers — but don't count on it. Hackers are like burglars: They aren’t necessarily looking for the richest house on the block, but the easiest to break into.

The internet makes it easy for them. Many hackers use Shodan, which has been described as “the world’s most dangerous search engine,” because it describes the IT characteristics and weaknesses of sites that can be hacked.


So what can you do to protect yourself?

Make sure your VoIP provider offers multiple layers of security. Here are some protocols your IT manager should ask about:

  • Antivirus Protection: You wouldn’t let your computers run without it, and you should apply the same thinking to your phones.
  • Password Authentication: The system uses passwords, and a user must input the correct one for the call to go through.
  • Three-Way Handshake: Adds a third layer to the password system for more security.
  • Secure Real-Time Transport Protocol (SRTP): Real time encryption of voice streams. This adds cost and can cause delays in transmission, but given the magnitude of the threat, it may be worth the tradeoffs.
  • Transport Layer Security (TLS): Encrypts the types of messages that can lead to DoS attacks.
  • Deep Packet Inspection (DPI): Blocks unauthorized incoming data packets.
  • Session Border Controller (SBC): Guards the protocols that control voice calls, keeping them safe and ensuring high quality.

Besides installing security measures, you should regularly audit your VoIP system for suspicious activity and disallow calls to countries you don’t do business with.


Recommended for you


Recommended for you

dictionary definition of hacking Article: 11 essential hacking terms The types of threats and hacking terms that are impacting business security
Young businesswoman sitting at desk, using computer Article: Data Risk Assessment Checklist Learn to identify and avoid security breaches
image of hard drive Case Study: Kramon & Graham PA Forensic analysis helps Baltimore litigation firm prove spoliation
Close Chat
HelpChoose A Topic