VoIP eavesdropping is not a new cybersecurity risk. The protocol that drives most of today’s VoIP applications, Session Initiation Protocol (SIP), has been in common use since the 2000s. However, according to IBM SecurityIntelligence, attacks that exploit the SIP protocols are on the rise. Thankfully, businesses have plenty of ways to reduce the opportunities for VoIP eavesdropping. Let’s take a look.

VoIP eavesdropping: the weak points

As with so many topics in network and telecom security, hackers get the opportunity to eavesdrop on VoIP conversation due to weak spots in defences. Effectively recording and decoding a VoIP conversation requires access to the packets that are transmitted, alongside a decoding tool. Circumstances that can make it easy for intruders to get this access include:

• Insecure networks

  Networks that are not encrypted, such as open WiFi networks, make it easy to capture VoIP data packets. A lack of physical security in an office can have the same effect.

• Remote offices

  IT teams can typically be very effective at managing internal networks at a head office, but branch offices are often at heightened risk of VoIP telecoms eavesdropping because IT staff do not get around to enforcing full compliance with network security protocols.

• Passwords and settings

  As always, a weak device password or weak VoIP credentials can allow hackers to quickly bypass even the toughest of network security hurdles. Likewise, default device settings often provide an entry point and should be changed.

It’s hard to physically spot a VoIP eavesdropper.  A business person waiting in reception may in fact be using their laptop to eavesdrop on VoIP conversations. That’s why taking precautions is so critical.

How to combat VoIP eavesdropping

There are many ways to stop VoIP eavesdroppers in their tracks. Though none of these measures on their own will fully protect your network, a mix of measures will provide strong protection. Here are our top choices for preventing VoIP eavesdropping:

• Encryption.

  

  First and foremost, encryption can deliver a high level of protection against VoIP eavesdropping. Particularly where your conversations occur in a regulated industry such as healthcare or finance, you must strongly consider encryption, but there can be drawbacks to encryption when it comes to voice quality.

• Pay attention to handsets.

  

  In 2015, Cisco detected a vulnerability in their range of IP phones which made eavesdropping easier. As expected, Cisco immediately recommended actions that sysadmins could take to stop attacks. The company also quickly released firmware updates. It may be stating the obvious but listening to handset manufacturers and applying firmware updates as requested is key to preventing eavesdropping on VoIP conversations.

• Update session border controllers.

  

  These important devices can act as gatekeepers, but, just like any network peripherals, session border controllers (SBCs) require frequent updating. Keep your SBCs in tip-top shape and it will be more difficult for eavesdroppers to intrude on VoIP conversations.

• Consider hosted VoIP.

  

  Ticking all the VoIP network security boxes can quickly become tedious. Instead, consider hosted VoIP. Hosted telephony providers are staffed by VoIP experts who know the ins and outs of VoIP security.

• Firm up network security.

  

  What’s good for overall network security is good for VoIP security. Focussing on aspects ranging from physical access of networking equipment through to hardening up WiFi provisioning will help reduce eavesdropping opportunities.

• Monitor your phone system.

  

  Just as monitoring network logs can highlight an intrusion attempt, so monitoring VoIP traffic logs can flag up suspicious activity. Notice activity that differs from the usual? Further investigation is warranted.

• Make use of a VPN.

  

  Where employees work remotely, it may be advisable to direct all network traffic, including VoIP, over a VPN. Nowadays, VPNs are cheap and easy to set up and can ensure that VoIP traffic stays out of prying hands. However, do test VPN solutions thoroughly to ensure that using a VPN does not cause problems with VoIP calls.

Take a multi-pronged approach

As much as a well-financed, determined attacker could probably find a way to eavesdrop on even the most guarded VoIP conversations, most telephony eavesdropping is enabled by lackadaisical security measures.

The measures we outlined, when combined, can ward off eavesdropping attempts. Though some points require practical trade-offs, most companies should be able to implement the majority of our suggestions. Do so and you won’t need to worry about VoIP eavesdropping.