Cyberthreats come in all shapes and sizes, whether they are individuals working to defraud someone on a small scale or state-sponsored cyberwarfare divisions that intend to disrupt life across the Western world. MSPs fulfil a vital role in securing businesses against these threats, especially when it comes to communications. After all, if your VoIP security is compromised, it means attackers have access to all your communications.
Are VoIP Phones Secure?
It depends on your vendor’s systems. Many VoIP phones are functionally secure, as in they are regularly updated and hard to break into. However, asking “are VoIP phones secure” is a tricky question because they depend on so many other aspects of your VoIP system. So let’s look at the common forms of cyberattack below to get an idea of how secure VoIP phones actually are.
Common Forms of Cyberattack
Different forms of VoIP security are effective against different forms of cyberattack, so it’s essential to understand how security specialists see the vulnerabilities in a system. In general, you can focus on one of these core areas of a VoIP system.
- Hardware
- Software
- Humans
VoIP Hardware
When it comes to VoIP hardware, you’re looking at the VoIP phones themselves and everything that attaches to them. A secure VoIP system ensures that the data that the phone sends is encrypted from start to finish and that the phone uses up-to-date firmware. But it doesn’t stop there. Every link in between needs to be secure, as well.
This means a secure VoIP system must take into account the router, the firewall, the servers through which the data goes and the end device. MSPs can’t control the final device (unless it’s internal or one of their own clients) but they can create a secure VoIP system that gives everyone the best chance of success.
Unfortunately, the growth of the Internet of Things has shown that it’s relatively easy to undermine hardware security, notably routers and cameras. Even connected kitchen appliances such as smart coffee machines can be used as an entry point into a network or to send malicious data as the firmware is rarely updated in these devices.
While there’s a bit more focus when it comes to VoIP security, all that work can be undone by compromised hardware elsewhere in the network. That’s why you need a solution that’s fully encrypted.
VoIP Software
In general, hardware is easier to hack because it’s often outdated. Software, however, should remain updated constantly… but of course, it doesn’t.
Sometimes, there can be issues with companies abandoning software, which is then gradually rendered less and less secure. Security by obscurity is not something that any business should rely on. A secure VoIP phone is great, but if the software that it transmits its messages through has been compromised (regardless of which end that happens), it’s not going to remain secure.
MSPs can always control the software their clients use, usually through good vendor selection and by ensuring that anything that’s end of life is upgraded to the best version. This is why software as a service is so important: it ensures that software always remains updated and not just for the first year. This is why good PBX security starts with a secure, updated software client that includes encrypted voice calls, as well as video and data.
Human Error
Unfortunately, you can buy the best VoIP phone you can afford, get the most secure VoIP system, and it can all be undone if the humans in the chain fall prey to a phishing scam.
Scammers will often try to obtain credentials through seemingly legitimate emails, and while spam systems do a good job of eliminating many of them, they’re not perfect. A good IT security system needs to limit information as much as possible, ensuring that even if someone is compromised, they can’t do too much damage.
This includes access to your VoIP system. Good VoIP network security, of course, means allowing for the human element, such as using 2FA/MFA to reduce password risk, ensuring that third-party devices are minimized via the use of a built-in SBC and salting and hashing stored passwords. But good VoIP network security also means training your staff to spot the signs of social engineering, encouraging them to report potential breaches (even if they caused them), and making sure that they can question seemingly legitimate emails or conversations that appear to pose a risk of a security breach (such as someone demanding user credentials).
It’s also essential to restrict access to those who don’t need it, even if they think they do. For example, it’s common for companies to provide high-level credentials to CEOs and other C‑suite executives, even when they don’t need them. This practice can heavily undermine security as CEOs have authority and can issue commands that are not always questioned. In addition, they often have the most public information available about them.
Combination Attacks
Most cyberattacks that cause damage use a mix of methods, of course.
As we saw with the 3CX attack in 2023, the initial point of weakness was that a developer for the company downloaded software had been compromised — human error. What then happened was the developer worked on projects while the attackers started to insert malicious code into software — creating compromised software. The QA for the software didn’t catch the compromised code, for whatever reason, and the result went into production. Thousands of users downloaded the compromised software, and they experienced a lot of stress and worry due to this failure of PBX security.
Worse, some customers blamed their MSPs for the security breach — many had to scramble to mitigate the fallout.
A less publicized issue was the fallout over Yealink phones, some of which were apparently sending data back to Chinese servers. This was an example of potentially compromised hardware. It’s hard to know for sure whether VoIP security on these phones was actually compromised, but it didn’t look good for Yealink. Questions were raised in the US Congress, demanding to know whether calls in US departments were being intercepted.
Almost as bad was the end-user license agreement that forced users to agree to accept Chinese law, so there was very little recourse should a business or a government experience an issue.
The compromised hardware could potentially result in compromised software, should it be used as an attack vector, or it could intercept a call containing sensitive data (human error).
Why Cyberattackers Compromise VoIP Security
There are three key reasons why cyberattackers compromise VoIP security:
- Monetary gain
- To cause disruption
- Because they can
The first two are broadly linked: there’s some sort of gain to hacking or breaking into a VoIP system. Ransomware is the classic method of crippling an entire network by locking out computers using software. This software is notoriously hard to crack, and it often encrypts the contents of any storage, rendering it impossible to recover. Typically, ransomware victims have to pay a fee if they don’t have good backups to (maybe) get their data back. In some cases, however, the fee is paid and they never get their data back.
Alternatively, they may seek to move money into offshore accounts, where it will be moved around the world into their accounts. This could be as simple as persuading a customer to place an order with the money going to an account they control. If they have access to an unsecured VoIP system, this could be very easy — especially when the company does not follow VoIP security best practices.
In many cases, particularly where hackers are sponsored by a state, the aim is to cause disruption, not to profit financially. This is because certain states such as Russia aim to disrupt Western companies to sow discontent. It’s all part of an information war by Russia (and other countries), which both Germany and Ukraine have experienced recently. By disrupting tech in general (including VoIP systems), they hope to create problems around the world, disturbing the pace and flow of life. It doesn’t matter that the systems might be for hospitals, schools and local authorities that are simply trying to make people’s lives better.
And then you have people who aim to break systems just because they can. These are usually individuals who are bored, have an interest in breaking into systems and want to test themselves. In the ’80s and ’90s, they likely would’ve been called phreakers (if they were hacking physical phone systems — of course, there’s a whole discussion on VoIP vs landline security). Now they’re simply hackers.
Typically, they aim to get into a system and out again, perhaps with some random data. While they don’t usually cause too much damage, it’s always concerning when an unauthorized person accesses your accounts.
How Do You Make a Secure VoIP System?
Create a secure VoIP system with encrypted voice calls (and video and data), use a system with MFA or 2FA as well as single sign-on enabled by default and make sure that it allows intrusion detection and monitoring. These are just the start of VoIP security best practices, though.
Any PBX security system will need reporting, salting and hashing of passwords, heavily encrypted traffic from start to finish and DoS protection.
But there also needs to be staff training to recognize how to avoid common (and many less-common) scams. Those asking “is VoIP secure” will always get the answer “it depends” — and that’s because it depends on the system and the company ethos. Those with good training will greatly enhance their VoIP security, and the answer to the “is VoIP secure” question will be “Yes.” Those who don’t offer good training may find themselves in trouble.
How MSPs Benefit From Secure VoIP Systems
MSPs and their clients need good VoIP security, especially as VoIP gradually becomes more prevalent (thanks to multiple copper cut-offs, the VoIP vs landline security question isn’t even relevant anymore). Through a secure VoIP telephony package that includes Wildix, they can keep their customers safe and their reputations protected. After all, the 3CX breach was a major issue for MSPs because suddenly MSP reputations were on the line, and the breach was widely reported.
The key problem is the fact that cheap solutions often aren’t well-optimized to beat a moderately competent hacker. And big clunky companies that don’t necessarily focus on VoIP may not have the best processes when it comes to plugging holes in their systems. However, they often have more resources to do so than low-cost Asterisk-based solutions.
Ultimately, the way to ensure good VoIP security is to use a good solution such as Wildix that puts security first. This way, your MSP is protected, your customers are protected and your reputation is protected.
For more insights on tech and cybersecurity, subscribe to receive our magazine for free!