The risks associated with unsecured VoIP calls
- Published: Tuesday, 02 June 2015 07:21
Paul German, CTO & Founder, VoipSec, calls on companies to wake up to the threats related to VoIP before it is too late.
VoIP may deliver great savings over traditional telephony, but with call-jacking over unsecured lines costing UK businesses – not the telephony providers – around $1.2 billion a year, the cost/benefit argument is perhaps more complex than many SMEs realise. Whether unaware of the risk or simply unable to afford expensive traditional VoIP security, far too many companies are leaving this critical aspect of the infrastructure wide open - and are undermining the investment in the rest of the data security architecture.
Understanding the risks
The UK’s SMEs are increasingly using Voice over Internet Protocol (VoIP) in order to cut call costs. Alongside cloud computing, VoIP is a key component in today’s flexible, low cost infrastructure that is supporting business agility and growth. Yet while businesses are increasingly confident to deploy these technologies, far too many are failing to understand the associated risks. The clue is in the name – Internet Protocol. VoIP is not just a lower cost telephone system; it is using the Internet data connection to provide a voice service - and should be treated as such in terms of security and usage policies.
Only the most naïve companies would ignore the need for firewalls and anti-virus and all the other essential products required for a robust, multi-layered data security model on the core infrastructure. So why are most companies blithely deploying VoIP without even considering the security implications?
The result is a door wide open onto the server, which is used to host the VoIP service – the same one that is probably used for the rest of the business (indeed, the voice function may actually be integrated with essential applications such as ERP) – and a fundamentally compromised business infrastructure.
In fact, the risk goes far beyond hackers using this unsecured route into the business to access corporate data; the biggest problem associated with VoIP today is so called toll fraud, or more to the point, call jacking. Essentially, a hacking team sets up a number of premium rate lines, typically the 0900 numbers often located in the Philippines or Malaysia; gains access to an unsecured VoIP network; and sets up automated dial-ups to these £5 per minute numbers. And while the network operator takes some of that call revenue, the hackers are typically raking in around 60 percent: a pretty nice earner that leaves the SME with a bill which can run into the £10,000s.
Typically these events occur over a weekend, which means they are extremely unlikely to be detected in time – and in some cases companies do not discover the problem until the bill arrives at the month end. Who pays the bill? Check the small print: the telephone network provider has no liability in such cases; it is all down to the SME – although most providers will work out a payment plan rather than demand the full sum up front. Either way, a single weekend’s call jacking can leave a business facing a debt that could easily tip it over the edge.
This is a problem that is widely recognised. Indeed the Communications Fraud Control Association’s (CFCA) Global Fraud Loss Survey attributed $8 billion a year to toll fraud globally: and $1.2 billion of that is in the UK. Given the huge global impact and wide recognition of this problem, why are providers failing to mention this risk when presenting the compelling benefits of VoIP? Why are resellers not bundling security solutions into the overall product set?
The answer is, quite simply, cost. VoIP connections can be secured, of course, using a Session Border Controller (SBC) which acts as a voice firewall. However, traditionally these voice firewalls have been expensive solutions that require dedicated hardware implementation. As a result, SMEs aware of the risk have generally ignored it; while resellers have felt compelled to downplay the risk because bundling security into the VoIP package resulted in an uncompetitive offer.
Add in the fact that the VoIP purchase often falls between two teams - the voice team responsible for telephony and the data or networking team responsible for the data infrastructure – and it is perhaps less surprising that the security risk associated with VoIP has gone under the corporate radar. While the data team would not dream of implementing any technology without considering the security implication; the voice team has had to worry about nothing more than the small risk of mobile phone hacking – security just isn’t on the agenda.
Organizations have got to change their thinking. They need to challenge the VoIP providers to provide an accurate picture of the true cost/risk argument and demand that the reseller community begins to explore the latest generation of lower cost cloud-based voice firewall products now available.
The good news is that in a business environment awash with unsecured VoIP connections, any hacker will be deterred by even the most basic security solutions and will rapidly move on to an easier target.
Furthermore, once the voice firewall is in place, an SME has the foundation for the multi-layered security model required for every aspect of the infrastructure, including voice. This includes determining how VoIP should be used, what polices should be implemented to improve control over the environment and deploying application level security to implement these policies quickly and effectively. Essentially, the voice firewall is the foundation for the defence-in-depth model that has been applied to secure data networks over the last decade.
VoIP is hugely compelling and with the rise in excellent broadband connections, growing numbers of SMEs are opting for this low cost approach. However, any Internet related deployment demands security – and it is only by applying the same level of rigour to voice security that has become standard practice across data networks that SMEs will truly gain the value of VoIP without running the risks of business damaging breaches or call jacking.