If you go to Google (News - Alert) and type in “hacking VoIP phone systems,” it can be depressing. The first is the number of entries. Second and third are how long this has been a problem, and the fact that no vendor seems immune. And, because of its IP PBX market leadership you will see that Cisco (News - Alert) has a big target on it but they are not alone.
For example, last year, the HackLabs cracking demonstration of a VoIP hacking workshop at the AusCERT security conference in Australia, featured a Cisco phone being compromised. The demo showed how virtually any VoIP phone remains vulnerable to popular hacking techniques which means that:
- Call data can be downloaded
- VoIP conversations can be redirected, illegally recorded or similarly manipulated
Bjoern Rupp, GSMK CryptoPhone's CEO, noted at the time that VoIP phone systems could become networked listening devices, wire tapped remotely or silenced. His point was that VoIP phones are purpose-built computers and therefore need to be protected, just like other computers and currently they come up lacking. They have been, as the Google search points out, for quite some time even as the nature of the security weak spots have evolved.
The latter point was highlighted by a demonstration at the recently held Amphion Forum conference by fifth year grad student Ang Cui from the Columbia University Intrusion (News - Alert) Detection Systems Lab. Using a Cisco phone, he demonstrated that by removing a small external circuit board from the phone’s Ethernet port anyone using a smartphone could capture every word spoken over that VoIP phone even though the VoIP phone was “on-hook.” And, the story gets worse.
According to Cui, not only was the secret in being able to patch the phone’s software with arbitrary pieces of code enabling him to turn the Off-Hook Switch into what he called a “funtenna,” he also claimed he could also do this remotely and without the need to insert a circuit board at all.
It probably does not need to be said, but once one phone is compromised the potential is there for the entire phone network to be so as well. It probably also should go without saying that this means all of the elements of your VoIP solution, not just the phones, need to be following best practices to mitigate the risks of security problems.
In fact, it is for this reason that when dealing with vendors of VoIP solutions you need to make sure they are providing great support. For example, Patton, who provides a comprehensive set of VoIP routers and gateways, has lifetime free basic support for its hardware like the SmartNode™ VoIP solutions, free upgrades for the software, as well as a premium support package. Whomever the vendor, training and consultative services need to be on your consideration list, since clearly when it comes to VoIP it is better to be safe than sorry.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida. Stay in touch with everything happening at ITEXPO (News - Alert) (News - Alert). Follow us on Twitter.
Edited by Peter Bernstein