Several articles related to VoIP fraud have appeared across the Internet in 2015. Most of them have been horror stories, where businesses have lost thousands of dollars due to this type of illegal activity.
In this article we will provide a few examples of VoIP fraud that have occurred recently and list some of the most common ways that hackers will attempt to break into your phone system. Finally, we will discuss some VoIP security methods to prevent such fraudulent activity.
What is VoIP Fraud?
This is one issue where "fraud" is quite broad in terms of what is affected and the correlating consequences. The UK-based, cyber security company known as Nettitude produced a good whitepaper that explains the various ways VoIP services are misused or hijacked. Essentially, the most common issue identified is where an unauthorized user gains access to a phone system and then uses it for personal gain.
Hackers attempt to exploit various levels of any given architecture. The severity of the damage depends on where the exploiter ultimately gains access. Sometimes this simply means an insecure line is used to make calls at the customer's expense. Other times, an entire system compromise yields devastating effects.
The saying "crime is often a result of opportunity" may qualify as cliché, but it certainly applies to many situations under the umbrella of VoIP fraud. A variety of methods may be used by a hacker to gain access to a system and utilize anywhere from a portion of a service to total control of a Private Branch eXchange (PBX) or service account.
A VoIP system can exist on a network in a variety of incarnations. It can be a physical host behind a simple firewall, a virtual machine on a cloud based Operating System (OS) or an on demand solution where devices link directly to a service provider. The integrity of any of the above network infrastructures denotes how an attack may occur.
What this means for the person that acts as the administrator for the phone system, is that vigilance is necessary for protecting a system at every level. Flaws from a poorly thought out security model create varying degrees of harm. An exploited system could become a major financial burden, depending on policies from a back-end service provider and could damage reputation with clientele.
This year, a few notable occurrences of VoIP hacks have taken place, placing a major burden on the companies affected. In a very short time, a compromised system can generate an exorbitant financial impact.
In one instance, an architecture firm in Georgia, called Foreman Seeley Fountain Architecture, was hit by hackers who racked up a huge bill on the company's dollar. In just a single weekend, approximately $166,000 worth of calls were made overseas, an amount that would have taken roughly 34 years for the firm to do on its own!
In March 2015, the brand of residential broadband gateways known as BT Home Hubs (which is popular in the UK) was targeted by hackers. Some disagreement over the root cause of the actual fault manifested between an independent IT consultant and the manufacturer. Regardless of the actual cause, some users with a PBX connected through the broadband gateway experienced the devastation of a compromised VoIP system.
Sadly, these situations happen to some degree almost every day. Ever since VoIP became a viable technology for communication, exploits have taken advantage of users and it will continue to happen. However, with a little vigilance, these issues are preventable.
Common Attacks and Preventable Measures
Pointing fingers seems to help some with the aggravation but in reality, this does not yield any quantitative result. When a service provider has fault, it is important, for the sake of discussion, to give complete details and records of incidents so a quick resolution can be achieved before others are also affected.
Most commonly, a breached PBX is because a user (really, an administrator) did not follow the best practices to establish a secure system. Sure, faults occur at every layer of network but ultimately, responsibility to create a secure set-up falls on whoever provisions the phone system.
Common sense is the first line of defence against any kind of network breach. For example, as painful as it may be to utilize unique, complex passwords, this is one of the best methods to prevent unauthorized access and service abuse of any account or resource. Consider using a reputable password manager if this seems bothersome or at least retain passwords such that they are invisible to others (i.e. pen and paper and hide the document in a locked drawer!)
Below, we identify common VoIP service models and the most common ways each is exploited. Beyond that, we look at other ways VoIP fraud occurs and possible ways to identify and prevent malicious activities.
IP Authentication SIP Provider
A service provider that utilizes IP authentication is one that uses unique public (i.e. Internet-facing) IP addresses for authentication. Providers of SIP services such as VoIP Innovations use this method. It will provide you with their IP addresses for origination and termination of traffic so you can "whitelist" them in your PBX Firewall. In other words, you only allow your external gateway traffic to communicate with these IP addresses. Similarly on the provider side, you give them the IP address of your server so that only traffic sent to and from your server is permissible for your account.
How it is Exploited
The Whitelist scheme can be exploited in a couple of different ways. The first of which is when someone is able to access your provider account and inputs their own public IP address to the ACL (Access Control List) of allowed addresses. This allows that person and whoever has a device registered with the attackers system to make calls at your expense. Likewise, if a hacker can gain access to your PBX, say due to poor password credentials, they can create extensions for their devices and because this traffic routes from your server the SIP provider is happy to accept it since it came from your IP address.
Some systems become compromised because a company or residence uses a dynamic public IP and not a static IP address. Most providers will usually offer a static IP with business class service but most residential services do not offer this feature and are restricted to dynamic IPs only. Dynamic IPs can change at any given point and usually during certain scenarios like when an Internet gateway is unplugged for short time. If the old IP remains on the provider’s whitelist, someone else could potentially acquire this address and utilize your account, though it is relatively rare.
How to Prevent Fraud
Preventing others from gaining access to your account is like almost any other web based service, whether it be Facebook, Netflix etc. Use a secure email and password combination for your account. The same can be said for the email address used to register with the provider. Someone with access to your email may be able to utilize a password reset process and gain control of your account.
Realistically, it is not common for someone to hi-jack an old IP address and especially a current IP address (except in a DoS attack, which we will cover a little later.) However, a chance still exists so it is best to either purchase a static IP or if using a residential Internet service, check your account frequently and see if your provider can set-up alerts if the registered IP suddenly changes.
Registration Based SIP Provider
A registration based provider requires a packet-based authentication mechanism to be successfully completed before communication is allowed from a PBX gateway, or indeed a phone. Any computer or device with the correct credentials for user name and password can utilize this service. Flowroute is a SIP provider that requires registration, though it also has the option to use IP address authentication.
How it is Exploited
Packets are sent to the PBX and the SIP registrar with account credentials for the user and/or device attempting to connect a call known as an AOR (Address of Record.) This information may be captured at some point during transmission and may be later used by an unauthorized user.
How to Prevent Fraud
In "the wilds" of the Internet, certain programs are lurking for commonly used ports such as 5060 and 5061. When a program finds a machine with these ports open, it investigates. In some cases, changing the port used for SIP transmissions will reduce the risk of being located by lurking bots.
It may be worth employing TLS (Transport Layer Security.) A properly configured system transmitting encrypted information is much more difficult to breach. Though this is not an infallible tactic, it practically eliminates the possibility of someone or something reading information in transit. This method both reduces the possibility of system compromise as well as other unscrupulous actions. Of course, TLS has to be supported at both ends of the communication.
Hosted VoIP Service
Hosted providers are the most common way most people utilize VoIP. In most cases, these services allow users at a business or home to simply connect a device to the Internet and make calls. Providers such as Vonage, Ringcentral and 8x8 are classic examples of hosted providers. Similarly MagicJack and Ooma are popular on the residential side.
How it is Exploited
Because hosted providers systems vary quite a lot in terms of architecture, different methods are used to compromise these systems. Depending on the set-up, different flaws in security create advantages for incisive fraudulent activity.
When signing up with a provider, it is important to know what kind of security measures are in place by the company providing your service and just as important, if the provider is hacked, will your business be responsible for charges incurred.
More often than not, an unauthorized user or program gains access at the user level. Sometimes this is the result of abuse from an internal source but not always.
How to Prevent Fraud
Like other scenarios, following best security practices is a must. Someone with enough knowledge of any given service may know a particular formula to figure out a way into a loose end of the service. Create custom user names, when possible, and implement secure passwords.
As in other networked environments, the fewer people that have access to account controls, the better. Limit administrators to a bare minimum and change passwords every few months. Consider doing this for users as well, some users may be annoyed by having to re-enter a password but it certainly secures your service.
Often phones are auto provisioned, meaning they connect to the hosted provider's server and download the user name and password for that particular extension, using the MAC address and a provisioning user name and password for credentials. It may be prudent to prevent administrator access to the phones for all users since this means they have no way of accessing their extension's password credentials. It is also vital that authentication is done at the provisioning side as otherwise hackers could easily get a free ride, since they could potentially auto provision their phone on your account. Usually this is hard to do but it depends on the system. For most PBXs they already have a list of MAC addresses that they will accept auto provisioning from. If there is no extension created that is matched to a specific MAC address, the auto provision should fail, and ideally ban the IP address if it happens frequently.
VoIP Security for other Weak points
Underlying, more specific mechanisms for any given service should be addressed as well. We will look at some of the most common issues where misuse is evident. Most of these issues apply to all the above-mentioned service models.
This is one of the broadest areas for a security fault. An insecure line can mean an extension with a simple password or it can be a transmission susceptible to attack. Most devices, including soft-phones, have the ability to transmit information securely using TLS. Consider utilizing a secure transmission to prevent an attacker eavesdropping or commandeering a call by encrypting the data at each endpoint. Some phones, such as those from Yealink, support OpenVPN which takes advantage of OpenSSL to encrypt your channel of communication. The Yealink phones also support HTTPS on the provisioning side, which is a nice feature to have, so long as the PBX you are connecting to supports it.
If your business is intra-national, there is really no reason to allow international calls. Turn this feature off in your PBX if making overseas calls is not necessary. If you have your own PBX do not enable an International dial-plan. If you have SIP trunks you can usually disable International calls inside your account portal, which then protects you should someone gain access to your SIP credentials (but not your account credentials). If using a hosted provider, ask customer service or technical support how to disable this feature.
Unauthorized Outbound Numbers
This is somewhat similar to limiting international calls but a little more specific. Consider blocking calls to certain destinations such as 900 numbers, as most of these numbers have no business purpose. Consider the clientele called by users. In some models, it may be best to heavily regulate outbound calls by implementing a rule where only recognized clientele can be contacted for outbound calls.
A DoS or DDoS [Distributed (Denial of Service)] is when an attack floods a network with useless data, usually when a malevolent entity spoofs an IP address and sends a high quantity of queries to a network. This congestion not only disrupts voice calls but other network functions as well. Avoid using open recursive name servers and consult with IT to examine the operation of your network infrastructure to ensure the best possible security measures are in place. Use hardware or software based firewalls that can recognize DoS attacks and ban the corresponding IP addresses. Some firewalls can be dynamic in nature, for example Fail2Ban for Linux servers which looks for specific regular expressions that correspond to a DoS signature attack and then add that to the firewall blacklist for a specific period of time.
Being the victim of any kind of fraud is a terrible experience. Not only does it leave one feeling helpless, but it also creates several other inconveniences in addition to potentially being a huge financial burden.
This article provides good practices for enhancing VoIP security in order to reduce the chances of fraud. However, the concepts introduced should be used as a starting conversation with a provider or an IT team. Consider auditing your current solution and if preparing to implement a new solution, analyze your network. Lock everything down as much as possible to make sure VoIP fraud does not happen to your business.
Feel free to use the comment form below to ask us questions or to tell us about your successes (or horror stories) with VoIP fraud.