VoIP call centres open to attack
By Rene Millman,
VoIP data could be hacked because call centres are not doing enough to secure their networks, according to new research.
Research by IT security company Scanit found that most installations do not have strong security controls in place, according to one of the company's engineers, Sheran Gunasekera. The company found that 70 per cent of VoIP calls are unsecured and exploitable by hackers.
"The reason for this has been the fact that the system integrator or implementer had not paid much attention to the security of the entire setup," said Gunasekera.
He said it was possible for an employee of the organisation to intercept voice conversations and re-route calls outside of the firm's network.
According to Sheran, a high percentage of installations he has audited had no encryption on the voice stream.
'The most common reason in large companies is because no-one understood how to secure the system. Staff lacked adequate skills and understanding of the security aspects of the implementation itself. They relied on the vendor or system integrator to set the whole system up," he said.
When a user first starts up a VoIP session, it looks for a SIP Registrar - comparable to a traditional telephone exchange - to register and identify itself on the internet, via an IP Address, and to show the user is now contactable.
"If a SIP Registrar is set up with no consideration given to security, it is possible for a malicious user to imitate a legitimate registration request," said Gunasekera. "The Registrar itself will assume that this is a legitimate registration request because all the fields will be filled out correctly. The only difference is the fact that the destination IP address has changed."
He said it was comparable to changing your mailing address when your name and other details stay the same.
"If no steps are taken to verify the new address provided, then your mail will be delivered to this new address, which could be owned by someone else," said Gunasekera.
He said there are several safeguards to prevent this, such as using encryption and strong authentication for requests with the SIP Registrar.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- UK regulator shuts down Angry Birds scam
- Apple iPad 3 vs iPad 2 head-to-head review
- IBM bans use of Siri on iPhones
- Chromebooks: What's gone wrong?
- HP plans massive job cuts
- EMC World 2012: Tucci declares Documentum is here to stay
- Dell EqualLogic PS6100XS review
- Macs and Android under malware threat
- RIM loses its head of sales
- Local fibre broadband needs common standards
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
