A recent report from the Australian press relates the story of a Perth company where hackers made 11,000 calls via the company’s VoIP running up a bill of AU$ 120,000 (£57,000) . This figure ranks this incident among the most expensive of documented toll-fraud attacks.
Do events like this throw the viability of this technology into doubt, or this the wakeup call that is needed to force a more serious view of VoIP security?
To misuse a VoIP system in this way an attacker needs to be able to do two things; to connect to the targeted system and then to make calls.
The first step is easy, there are a number of legitimate reasons why a VoIP system should allow external connections, for example providing access to corporate phone services for home workers or roaming users.
The second step should be more of a challenge. Most network applications ensure that remote users are authenticated before access to sensitive services or data is granted, many VoIP systems lack this control.
In the case of the Perth company, access controls were obviously missing or implemented in a way that made them completely ineffective. Sadly this is not an isolated incident; there have been many examples of toll-fraud attacks on VoIP system and many VoIP networks lack effective controls against this kind of attack.
One of the more obvious pitfalls is assuming that a general purpose firewall can effective security for a VoIP connection, this is simply not the case.
Just as web and email applications need specialist security controls to defend against application specific threats and to provide authentication services and access controls for inbound connections, so VoIP systems need their own specific security controls. Without these controls VoIP systems will continue to be targeted by toll-fraud and other equally serious attacks.
The lessons to be learned are that without appropriate security controls, VoIP systems are vulnerable to attack, that the risk or attack is real and measurable financial cost. If your company has a VoIP system, a check on its security controls should be a priority.