TEST to main content First level navigation Menu
hand dialing keypad on phone

Can your office phones be hacked?

by Teresa Meek
 

Internet-connected work phones pose some of the same security risks as your computers — and a few more.

Your company likely invests in security systems for its PCs and laptops, and trains employees on BYOD safety.

But what about your office phones?

If you’re using a VoIP system, (and odds are you are), then it’s easy to forget that you’re not just dealing with regular phones, but a complex system full of security risks. Here’s an overview of the dangers and what you need to do to be prepared.

​​It’s surprisingly easy for hackers to listen in on your calls and record them to spy on your company. Once in, they can gain control of your mailbox, call forwarding, and caller ID to launch more complex attacks.

The threat landscape

If you’re happy with your internet-based phone system, you’re not the only one.

Hackers love VoIP. It was developed before broadband and modern cybersecurity threats. Though most providers now offer security, the service has traditionally lagged behind its computer-based peers in safety measures, and is scrambling to catch up.

Why would anyone want to hack into your phone system?

For hackers, it can be a gold mine. Here’s just a partial list of things they can do:


  • Eavesdropping or Sniffing: It’s surprisingly easy for hackers to listen in on your calls and record them to spy on your company. Once in, they can gain control of your mailbox, call forwarding, and caller ID to launch more complex attacks.
  • Vishing (voice phishing): The hacker makes a recorded call purporting to be from a source you trust — your bank, for example — to get you to divulge account information.
  • Caller ID Impersonation: The hacker steals the caller ID number of your bank and makes a live call using it, asking you to “verify” financial information.
  • Call Fraud, Toll Fraud, or Spam over Internet Technology (SPIT): Very lucrative for a hacker, who taps into your VoIP line and uses it to make high-volume spam calls to foreign countries.
  • Denial of Service (DoS) Attack: The hacker floods your server with data, using up bandwidth. A DoS attack can cause your connection to deteriorate or be shut off completely.
  • Inserting Viruses and Malware: Just like office computers, your internet phones are vulnerable to programs that can track keystrokes, destroy information or instruct the phone to make spam calls.
Perhaps you think your company is too small or low-profile to attract attention from hackers — but don't count on it. Hackers are like burglars: They aren’t necessarily looking for the richest house on the block, but the easiest to break into.

The internet makes it easy for them. Many hackers use Shodan, which has been described as “the world’s most dangerous search engine,” because it describes the IT characteristics and weaknesses of sites that can be hacked.

Keep track of your critical information and keep your business secured

Take all the measures to ensure your phone communication is as safe as your electronic data.

So what can you do to protect yourself?

Make sure your VoIP provider offers multiple layers of security. Here are some protocols your IT manager should ask about:


  • Antivirus Protection: You wouldn’t let your computers run without it, and you should apply the same thinking to your phones.
  • Password Authentication: The system uses passwords, and a user must input the correct one for the call to go through.
  • Three-Way Handshake: Adds a third layer to the password system for more security.
  • Secure Real-Time Transport Protocol (SRTP): Real time encryption of voice streams. This adds cost and can cause delays in transmission, but given the magnitude of the threat, it may be worth the tradeoffs.
  • Transport Layer Security (TLS): Encrypts the types of messages that can lead to DoS attacks.
  • Deep Packet Inspection (DPI): Blocks unauthorized incoming data packets.
  • Session Border Controller (SBC): Guards the protocols that control voice calls, keeping them safe and ensuring high quality.

Besides installing security measures, you should regularly audit your VoIP system for suspicious activity and disallow calls to countries you don’t do business with.

 
Teresa Meek
Teresa Meek is a Seattle-based writer with 15 years’ experience in journalism. She has covered business, technology, health and culture, and has written for The Miami Herald, Newsday, The Baltimore Sun and The Seattle Times. She has also worked with a number of corporate clients, including Coca-Cola, Delta Airlines, JPMorgan Chase and Microsoft.