Phone System Security – Are You Sure?

Office phone systems can be a security and legal liability. Most office administrators don’t realize the extent of the risk and the ease of infiltration.

Phone communication used to be a service fully separate from other facets of a company’s environment. The most concerned we’d be about telephone security was what we watched in spy movies with bugs or wiretapping.

Now telephony and data have merged into a unified communication system with voice flowing through ethernet connections. Many phone systems will integrate with CRM applications to provide a seamless experience in conversation and data access. With all this convergence, it’s time that every company pay close attention to the telephony with the same enthusiasm that is given to computers, firewalls, cloud, and mobile devices.

So, what kind of risks are there and how do you go about narrowing or closing those vulnerability gaps? The best way to get started is to consider the following:

1) The phone provider should fully understand telephony security and cybersecurity – Many telecom companies were started in the mid and late 1900s with some knowledge about phone systems and how to configure these systems. A lot have grown to embrace and make the shift into VoIP. However, some of these providers did not learn about cybersecurity. Though VoIP data is often passing over the same cabling as secure business data, the telecom provider might not have configured the VoIP system with the same level of security that has been applied to the network data. Before you sign up with a phone provider, check into their compliance and accreditation; for instance, they should be affirmed with SOC 2, HIPAA, and PCI compliance.

2) Keep your phone system firmware up to date – When we check networks for vulnerabilities, many times we find that phone system related vulnerabilities exist only because the telecom provider has not regularly updated the firmware. For computers, auditors and examiners expect us to install updates almost immediately upon release. Sadly, this is not an expectation of the phone system, which leaves known security holes vulnerable to attacks by the most novice of hackers.

3) Secure the voice traffic – The traditional phone system used POTS (Plain Old Telephone System) lines. These analog lines use audio signals which can be intercepted and listened to live. Similarly, with VoIP if the voice traffic is not encrypted, a hacker can capture the packets on the network and play them back as audio. This is still extremely simple and requires no privileged access to the network. The solution is to encrypt the voice traffic while in transit and at rest. But be careful – some systems will say that they encrypt, but they might only encrypt the original handshake and not the actual voice traffic. This is an example of Voice Over Misconfigured Internet Telephones – VOMIT.

4) Segment VoIP traffic – One of the many reasons to segment voice traffic from data traffic is security. With an increase in VoIP traffic hijacking, segmentation allows traffic to be better filtered of bad packets. Additionally, many bank examiners and auditors are asking about VoIP segmentation, which means it should be considered an important security measure to apply.

5) Check with your telecom provider about some common vulnerabilities – In our scanning of network vulnerabilities, we have found the following three to be the most common and concerning with regards to the phone systems.

/WEB-INF/ Information Disclosure Vulnerability (HTTP)
CVSS Score: 10
Comment: This is a major vulnerability, especially if a network has not been segmented, because it means a system is vulnerable to information leakage. As it pertains to phone systems, an attacker could potentially view sensitive information including but not limited to call logs, usernames, and phone numbers.

Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSL/TLS, D(HE)ater)
CVSS Score: 7.5
The remote SSL/TLS server is supporting Diffie-Hellman ephemeral (DHE) Key Exchange algorithms and thus could be prone to a denial of service (DoS) vulnerability.
Comment: While there is no risk of data being compromised, a DoS attack can render a branch, website, or even whole company unable to perform necessary job functions.

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
CVSS Score: 5.9
Comment: These deprecated protocols have multiple security flaws and nearly all technology has moved away from using them. Keeping hardware and software/firmware up to date eliminates this type of vulnerability.

So, talk with your provider and make sure that system you have is secure. If you find yourself in need of a better solution, Forward In Technology, Inc. has the staff, services, and products to give you the best features and security in a unified communications solution with SOC 2, PCI, and HIPAA compliance.