VoIP is the new cure for bloated phone bills. With its integration into IT networks and the Internet, it bypasses the conventional world of telephony. It opens up a whole new world of phone functions to users – and a whole new opportunity for hackers and cybercriminals. That’s not to say that hacking phones could not be done before. Phone ‘phreaking’ was already in full swing when arch-hacker Kevin Mitnick was convicted in 1999 – and denied access to any phone because of his dangerous phone-hacking abilities. But VoIP now adds most if not all the possibilities of software viruses and other malware, and multiplies the methods of attack.
Examples of VoIP Gone Wrong
Hacking VoIP systems isn’t just for the fun of it or for nefarious actions like spoofing (masquerading as someone else) or swatting (making emergency calls that appear to have originated at the addresses of celebrities). VoIP hackers are also out to make money – a lot of it – at the expense of the VoIP user. Extortion is one way. By penetrating a VoIP network and its software, criminals have successfully held different organizations to ransom by blocking their VoIP systems until money was paid. The hackers avoid being caught by having the money paid to a debit card that allows them to withdraw the money as cash from an ATM. Huge phone charges are another. The hacker diverts an organization’s calls to links charging premium rates and is paid commission by the link provider.
A Victim of Its Own Strengths
VoIP as a web technology gives users mobility and anonymity. Software-controlled VoIP phones can be programmed for specific user requirements, and therefore hacked. A hacked VoIP phone can then ‘infect’ neighboring VoIP phones, and so on. Hackers working from VoIP phones themselves can attach to networks via any Internet connection available, without being tracked. Microphones and webcams in VoIP phones can be remotely activated in order to eavesdrop on conversations and meetings in the same room. In extreme cases, financial losses related to illicit use of a company’s VoIP connections have forced the company concerned out of business.
Seek to Understand, then Protect
VoIP operators don’t offer much in the way of user safeguards or reimbursement if hackers use them to generate expensive calls. If the calls are logged as originating from your organization, then typically your organization must pay for those calls. Companies and their IT departments need to be aware of potential exposure to hacking and protective measures that can be put in place. These can include blocking calls made via expensive links (satellite links in particular) and alerts in case your VoIP phone bill suddenly starts to climb sharply.
It Often Starts with Footprinting
While hackers are continually discovering new ways to attack VoIP systems, there are some established favorite approaches. Also known as ‘footprinting’, these techniques rely on information that unsuspecting VoIP users make publicly available. Examples include advertising job vacancies that require experience in a particular VoIP vendor’s technology. Hackers can search the Net for such adverts, track down the organization concerned if an obvious email or street address is given, and set to work testing for any known vendor weaknesses in the equipment being used. Keeping systems up to date with the latest, most secure versions and avoiding broadcasting information potentially useful to hackers are not the only precautions to be taken, but they are a good place to start.