IT security has been and continues to be a major concern for almost any business. News of high-profile businesses being hacked and sensitive customer data being leaked continue to hit the headlines, causing potentially significant damage to the reputation and bottom line of these companies. Although many firms take steps to secure their IT systems, it can be a totally different story when it comes to an IP telephony network. An IP-PBX system is just as vulnerable as other systems on a computer network, perhaps even more so, in that many firms don’t even realize the vulnerabilities of these systems. Due to the nature of IP telephony, the phone system needs to be connected to the internet, which provides a route for hackers to access the IP-PBX.

While VoIP phone systems offer many advantages, such as advanced call functionality and flexibility, over traditional TDM, it is precisely these advantages that can also be used against them. For businesses to protect their IP telephony systems, they need to understand how their systems are vulnerable, how these vulnerabilities can be exploited, and the steps they can take to secure these systems. To gain access to the telephony system, hackers simply need the password of the device they are targeting; to gain this password and successfully compromise an IP-PBX system, hackers will identify an IP extension on the network and bombard that device with different passwords, in the hope one of them will be right. Although this sounds like a long shot, many users don’t change their passwords from the default setting. Also, hackers can send thousands of passwords to an extension in just a couple of seconds. In many cases, it doesn’t take long for the hackers to guess the correct password and log in to the IP-PBX system.

Once a hacker has access to the system, there are many ways in which they can disrupt the IP telephony network and potentially cost a business a lot of money. One of the most common attacks, and indeed one of the most damaging, is when professional criminals tie an entire call center to the compromised network connection, routing thousands of calls over the one connection in a short period of time. Depending on how the IP-PBX routes its calls, and how regularly the company receives its bills, this activity can sometimes continue for months before being discovered, resulting in an astronomical telephone bill.

While weak passwords are one of the primary ways for hackers to take advantage of a poorly protected system, a lack of encryption in an IP-PBX infrastructure can also leave the doors wide open to other types of malicious activity. For example, because of the computerized nature of IP telephony, it's not a difficult task to secretly record internal calls; rather than having to install a physical device, calls can simply be recorded using the right software. This kind of threat can often originate with an employee inside the organization, making it difficult to protect against it. If a company is using an unencrypted VoIP protocol, there's no barrier in place to stop calls from being recorded. Even if the threat doesn’t come from an employee, for outside groups with an interest in recording a company’s telephone conversations, a trojan could be used to install the recording tool.

So what can be done to secure your IP PBX?

To secure an IP-PBX system, there are several steps companies should take. First, administrators need to keep a close eye on the system to monitor for any signs of an attempted attack, and they must act quickly to ensure successful attacks are addressed at an early stage. As mentioned earlier, one of the major reasons IP-PBX systems are compromised is because hackers are able to easily break into systems using weak passwords. More often than should be the case, the password won’t be changed from the default password, or it will have been changed to something easy to remember, such as the company name or “password”.  Capitalizing letters and Including numbers and symbols can increase the security of a password significantly, making it much more difficult for a hacker to crack. Most users don’t want to come up with a password they can’t remember, however, and it becomes a difficult task for the IT administrator to ensure employees use a secure password. At Vodia, we’ve realized this is a major issue for businesses, so we built a password security measure into our the Vodia IP-PBX under system security.

Administrators are given the opportunity to set a minimum strength level for user passwords. At the lowest setting, any password can be used; at the middle and higher evels, the chosen password is given a score based on the combination of letters, numbers, and symbols it contains, and any that don’t reach the required score are rejected. This can sidestep the challenge of ensuring everyone is using a secure password, and it allows administrators to upgrade the security of the IP-PBX infrastructure with the click of a button.

Even with strong passwords protecting every extension on the IP network, hackers will still try to break through a system’s defenses. Since they can try so many passwords in a short period of time, it is worth it to them to try an attack, as the chances are, eventually, they will guess the correct password. For a business, this presents a very real risk, as it's difficult and time-consuming to constantly monitor the IP telephony system for attempts at illegal access. To combat this, Vodia has an email alert system that lets administrators set a limit for the number of unsuccessful access attempts by an IP address, blocking those that reach that limit and sending an email alert to the administrator. When an attack has been successful, and the hackers start routing unauthorized calls through an extension, it's very difficult for the administrator to see this is happening.

If legitimate users don’t notice a problem, then there's nothing to alert the administrator the IP-PBX has been compromised. This means the hackers have free rein to route thousands of calls through the extension, and the company only discovers this when it receives a massive bill from its service provider. With the Vodia IP-PBX, IP extensions can be set up to limit the number of conversations they can handle at any one time. Obviously, no user is going to be able to handle thousands of calls in the space of a few minutes, so this feature stops hackers from routing an excessive number of calls through a compromised extension. The danger posed by someone hacking into a system can be further mitigated by setting a credit limit for outbound calls. In Vodia’s settings this is a simple process of entering the cost of the call, allowing the system to monitor the total number of calls placed, and blocking outbound calls once this limit has been reached.

Make the change before it's too late! IP telephony is a much larger bigger component of corporate communication infrastructures than ever. And while IT security is slowly but surely improving, the same can’t necessarily be said of IP telephony systems, as the administrators of these systems often don’t realize the level of the danger they face. The monetary losses a successful hack can cause can far outweigh the original investment in the system. Yet the measures that need to be taken to protect the business are relatively simple and don’t require a massive investment in hardware and software.

Once the right security measures have been put into place, administrators can drastically reduce the chances of seeing their organizations victimized by successful hacking attacks. Of course, the right IP-PBX, such as the Vodia PBX, makes this process much easier and ensures the transition to a secure system is a simple and painless process.