by Charles Patterson
Patterson Communications, Inc.
www.execsecurity.com
VOIP vulnerability and disaster recovery
We’ve had a busy schedule here in the New York area since Hurricane Sandy hit. A few of our clients lost their entire offices due to flooding from the Hudson River and had to relocate. We have been spending many hours helping some of them get their phone systems situated and back on line.
One of our clients’ entire office (60 employees) was under four feet of water and they quickly had to relocate to a temporary facility a few miles away. To keep their business operational they signed up with a VOIP hosted phone provider who was able to give them phone service at their new office in a very short period of time. This was great for their quick recovery from the disaster. In helping them set up their new phones, though, we discovered a serious security vulnerability in their system.
VOIP phone services
If you are not familiar with hosted VOIP phone services, they provide dial tone and phone equipment that work over an internet connection. The call processing and all voicemail features are all handled off site at the provider’s server locations. With hosted services, all you need in order to have phone lines working is a strong, solid internet connection. Even if your own power or internet is down, your calls will still be answered by your voicemail and can be forwarded to cell or other numbers as a backup since the calls are processed at the provider’s locations. Configuration of your system is also taken care of through a web based interface from any internet connection. Every phone unit plugs into your computer network and connects over the internet to the host VOIP server which is located at the provider’s site.
Many VOIP providers have arisen in recent years, a quick search of the internet will identify dozens of them. In my discussions with a number of them it appears that they are originally IT companies and do not have a lot of experience in the telecom world. They are quickly trying to implement requested features into their systems but often without an understanding of the need for securing access to some of these features.
Live monitoring, a.k.a. eavesdropping threat
One common feature of modern phone systems is to allow live monitoring of calls. This provides call centers with groups of operators who are either answering calls, such as customer support lines, or who are making calls, such as telemarketing services, with the ability for a supervisor to listen in to the phone calls for quality control, training, or caller assistance. This feature can also be used for eavesdropping.
Traditional PBX systems usually have security features in place to help prevent unauthorized access to such monitoring. They usually involve various levels of access that can be assigned on a per station basis, or with other limitations. Of course, even on traditional PBX’s these features are a vulnerability that can be accessed by anyone with assigned authorization or with minimal phone hacking skills.
Lack of security
The provider of this new VOIP system we were working with also included the call monitoring feature. Their system provided access to monitoring to anyone with administrator level access. The admins have the ability to listen to any call in progress. The big problem was that there was only one level of admin, without any security controls. Admin level was assigned not only for the installer but for the IT department, and anyone who needed system level access such as for recording voicemail menus, assigning extension names, and other system maintenance adjustments, including the receptionist/office manager.
An additional concern was that all programming access, including the call monitoring, was done over a web based interface which meant it was accessible from anywhere over the internet.
The provider told me they were updating their programming features, and claimed they would have multiple admin levels in an upcoming release. It appeared to me they had wanted to be competitive in offering features their customers had desired and quickly added these features to their systems, but they had not considered the serious risks and vulnerabilities they were submitting their customers to.
All phone systems should to be checked for such vulnerabilities. A security audit of your telephone system, whether VOIP or traditional PBX will help reveal such features and whether they are vulnerable to exploitation, as well as identifying who might have access to such features. Before signing up with new services or providers, check if they have security features that help protect their systems from such abuse.
Charles Patterson is president of Patterson Communications, Inc.
Providing TSCM services and Communications Security Audits since 1996.
www.execsecurity.com