Three simple reasons VoIP abuse will grow

Cisco predicts more hackers will set their sights on Voice over IP. Three reasons why the technology is ripe for abuse

In its recent annual security report, Cisco predicted VOIP abuse as a potential area for cyber crime growth.

"Criminals use brute-force techniques to hack private branch exchange (PBX) systems to place fraudulent, long-distance calls; usually international," the report states. "These incidents, often targeting small or midsize businesses, have resulted in significant financial losses for some companies."

Also see VoIP security: The basics on

One of the most popular scams employed by VOIP-abusing criminals are vhishing schemes, which are telephone-based phishing ploys. The report points to one recent vhishing scam targeting the Federal Deposit Insurance Corporation. Vhishers called U.S. consumers on mobile and land-line phones to inform them they were delinquent in loan payments that had been applied for over the Internet or made through a payday lender. Criminals were able to collect personal information, such as Social Security numbers from victims, according to the report.

"What we've seen in the last couple of years is growing VOIP abuse around getting access to someone else system with baseline security hacks and then either using it for criminal purposes or selling it to other folks as long distance," said Patrick Peterson, Cisco fellow and chief security researcher."Some people have made money that way and some victims received huge telcom bills."

Peterson and Cisco technical manager Randy Birdsall explain why VoIP abuse has been on the upswing in recent years and appears poised for further growth.

It's widely deployed

According to market research firm In-Stat, almost 80 per cent of businesses will use Voice over Internet Protocol by 2013. And VoIP is in most enterprises in some fashion by now, according to Peterson. Whether it's fully deployed or still being tested, it's now pervasive, and therefore a target for criminals.

"Anytime there is a free, anonymous resource, criminals flock to it because that combination of free and anonymity is too good to be true," said Peterson. "What we've seen is an extraordinary increase in the last few years in the number of cracking attempts, and port scans, and attempts to log in with default admin passwords on various VoIP access points."

As VOIP has gained popularity, it's now a worthwhile endeavor from criminals because there is a large pool of potential victims to pull from. Birdsall said the concern among organizations using VoIP has changed, too.

"When I first started talking to companies a few years ago about VOIP security, the comments were 'Well, it's good to know it's available,'" he said. "Now the conversation is, 'We have had this incident happen. Now we want to know everything you can tell us so it doesn't happen again.'"

There are several ways to abuse it

While vhishing and SPIT (spam over internet telephony) get the most attention as VoIP problems, there are many ways criminals can take advantage of a VoIP network. Denial-of-Service attacks using VoIP technology are gaining popularity. In these attacks, criminals make the victims' phones ring constantly or sound busy.

"Organizations are deploying gateways that allow them to do SIP trunking to service providers as a way to save cost on telecom bills," explained Birdsall. "Now they are out on internet with a gateway that has the ability to do SIP trunking, and SIP is an open protocol. There is a lot that is known about that across the entire industry and that is a great thing. But it also allows more people to understand it to the point of manipulating it and using it doing things with it that are malicious."

Some of the other types of exploits Birdsall has seen include criminals routing calls through an organization's SIP trunk under the guise of being a telephony-service provider, therefore selling a service they never had to pay for. Criminals can also route their calls over the unsecured gateway to other sources, therefore bypassing long distance charges and international call charges.

"They can also redirect calls to 900 numbers, or other numbers that allow them to actually make money off of it," said Birdsall.

There is also the potential for hackers to breach your network and steal sensitive data using the gateway.

"One financial institution pulled me in when they noticed traffic coming from their product out to the internet. In that case, they (the criminals) had leveraged the IP-telephony network to gain access to a data path within their corporate enterprise. So the IP-telephony network was a way to get to the data side of things. That's another attack vector people may not have anticipated."

It's not well protected

"In a lot of mid-market organizations, VOIP systems are deployed to save money, but they dont have someone on staff who understands the security implications and knows what to look out for. They are leaving it wide open," said Birdsall.

Read more in Skype security: Is the popular VoIP service safe for business?

A VoIP network often shares the vulnerabilities of the operating system it runs on, yet the organization often fails to protect it with standard firewalls and security software. Many neglect to change the default manufacturer passwords that come with the system.

"Organizations deployed these systems several years ago and then just sort of forgot about security," said Peterson.

Join the PC World newsletter!

Error: Please check your email address.

Tags Cisco Systemstelecommunicationsecurityvoip

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joan Goodchild

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?