VoIP Security: Vulnerabilities & Best Practices

In 2021, IP PBX hacking has caused $1.82 billion in fraud losses, a 28% increase from 2019. When threats become unpredictable and the remote-work-related risks ever increase, security is key. VoIP hacking and attacks can come from the Internet or telephone lines targeting exploiting any vulnerabilities and eventually exposing your organization to toll fraud and theft of confidential information.

So how can you protect your business-crucial PBX system from potential net threats and internal malfeasance?

This blog introduces the must-have security policies and Yeastar PBX System’s innovative services and features that effectively shield you from attacks.

Table of Contents

• 6 types of common VoIP vulnerabilities and attacks
• VoIP PBX security checklist
• Best practices to defend against network security threats
• Best practices to mitigate SIP communication risks & secure IP endpoints
• Must-haves in your VoIP security contingency plans
• Security solutions for PBX remote access and communications
• ⏵For PBX end users: tunneling services
• ⏵For PBX resellers, MSPs, and providers alike: device remote management

To avoid security breaches of your VoIP PBX phone system, it is important to understand the potential vulnerabilities and the common types of cyberattacks.

Potential PBX Security Vulnerabilities

• Weak or stolen usernames and passwords
• Back doors and application vulnerabilities
• Poor access control
• Unencrypted connections
• Data breach caused by human error

Common Types of Cyberattacks and VoIP Security Treats

1. Toll Fraud

• Attack Action: Make international calls from your VoIP network, at your expense.
• Attack Purpose: Generate a high volume of international calls to premium rate numbers and then collect the revenue.

2. Reconnaissance

• Attack Action: Gather all possible information about the target before launching an actual attack.
• Attack Purpose: Identify vulnerabilities and weaknesses, and then create a successful exploit.

3. Denial-of-Service (DoS)

• Attack Action: Flood a server with an overwhelming amount of requests and use up all of its bandwidth.
• Attack Purpose: Prevent users from accessing connected online services or sites.

4. Spoofing

• Attack Action: Impersonate an individual or a company that the victims trust.
• Attack Purpose: Gain access to personal information or steal data.

5. Man-in-the-Middle

• Attack Action: Eavesdrop on the communication between two targets.
• Attack Purpose: Steal sensitive data, such as login credentials, account details, and credit card numbers.

6. Spam Over Internet Telephony (SPIT)

• Action: Bulk and unsolicited robot calls and voicemails over VoIP to phones connected to the Internet.
• Purpose: Trick the victim into answering or listening to a robocall for high international calling fees.

 

VoIP Security Checklist: How to Secure Your VoIP Phone System  

The complexity and variety of cyberattacks are ever-increasing, with different types of attacks for different malicious purposes. While countermeasures differ for each type of attack, good security policies help mitigate the risks. In many cases, the best way to safeguard a PBX phone system is to implement a multi-layered security solution. This means that you need to deploy multiple defense measures to protect the vulnerable points of your phone system. Each layer increases overall protection and continues to offer system defense even when one of the layers is breached.

Following are some best practices that can be performed to build multi-layered protection for your VoIP phone system.

1. Keep Your PBX and SIP Endpoints Updated

An up-to-date firmware or software version works like a protective cover to shield your PBX or SIP endpoints from security threats. Typically, the most recent version is often the most secure with bugs and other vulnerabilities being found and fixed. In addition, with technology evolving, some critical security features or layers of protection are only supported on the latest version.

Your organization’s network is the first line of defense against cybercrime. If a hacker gains access to your organization’s network that supports VoIP communications, it can result in Denial of Service (DoS) attacks or significant decreases in Quality of Service (QoS). To prevent this from happening, you need to avoid exposing the PBX’s intranet to the public and block unauthorized access.

• Best Practice 1

Avoid Port Forwarding

In an attempt to offer remote access for remote and mobile users, most on-premises PBX providers will recommend Port Forwarding. But this is not a good idea at all.

Essentially, Port Forwarding maps an external port on your public IP address to the PBX that is within your private Local Area Network (LAN). This exposes your PBX on the Internet and brings potential risks because hackers could penetrate your network through the forwarded port. And as a matter of fact, hacking through port forwarding has been the most common way for hackers to launch attacks.

You will need a more secure way to maintain remote access for needed features and in the meanwhile, avoid using port forwarding that exposes your LAN.

To solve the dilemma, you might leverage tunneling services like Yeastar Linkus Cloud Service Pro (LCS Pro) or Remote Access Service (RAS). Coming packed with industrial-grade cloud and encryption technology, the Yeastar tunneling service creates a securer way for PBX’s remote SIP access and business communications.  It not only avoids the PBX port forwarding but double-secures the system with granular permission control.  You can decide which IP addresses and Extension accounts are allowed to access your PBX remotely via the service, and what PBX services are allowed for remote access.

 

• Best Practice 2

Block Unauthorized Access to Your PBX

Block unwanted and unauthorized access to your PBX can significantly decrease the possibility of your system being hacked. It is a vital step to prevent telephone hacking and mitigate the potential damage and financial losses to your business.

a. Restrict access to PBX Administrator Portal

Yeastar P-Series PBX System is preconfigured with 3 types of role-based accounts: Super Admin, Administrator, and Custom User. Each role has appropriate administrative privileges already included. You can also create custom roles with specific administrative privileges to fit user needs. Only users with administrative privileges can access the administrator portal to configure the system features that are granted to their roles.

When implementing role-based access control, you grant only the necessary privileges to user roles and ensure that roles are given to the correct individual, thus regulating who and what for the security permission control.

b. Restrict system access from specific countries or regions

If you find an increase in attacks on your PBX from a particular country or region, you can use geographic restrictions (also known as geo-blocking) to prevent visitors in specific geographic locations from accessing the PBX. By checking a visitor’s IP address against the PBX’s database, unauthorized access can be denied.

c. Restrict system access with firewall rules

Yeastar P-Series PBX System has inbuilt firewall rules to only accept trusted traffic. You can also create firewall rules on your PBX to allow or block traffic from specific source IP address/domain, ports, and MAC addresses. In doing so, suspicious access that might contribute to attack fraud or call loss will be automatically blocked.

To prevent massive connection attempts or brute force attacks, you can also utilize the PBX’s inbuilt IP-Auto-Defense feature to define the allowed number of IP packets within a specific time interval. If any IP sends IP packets exceeding the limit, the system will automatically block the IP.

SIP trunk is typically used for the transport of voice packets from your organization to the intended recipient. Any interference can result in degraded call quality, complete disconnecting of a call, eavesdropping, etc. To secure SIP trunks, the best way is to limit outbound calls and encrypt calls.

• Best Practice 1

Set Rules for Outbound Calls

a. Different rules for different time periods

Hacking attempts are usually made during non-business hours, over weekends, and during holiday periods when the system is less attended. You can leverage the Time Condition feature to implement different inbound or outbound call restriction rules for different time periods to reinforce the automatic control. For example, you might create a Time Condition called “Holidays”, and disable outbound calls during holidays by applying the Time Condition to an outbound route.

b. Permission to only those who need it

Your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Consider configuring different outbound routes for different trunks (e.g. local, long-distance, and international), and assign outbound route permissions only to the users who require the use of it.

c. Limit outbound call frequency

Once hackers infiltrate your phone system, they can easily rack up tens of thousands of dollars by making a large volume of calls. It’s recommended that you set a limit on the number of outbound calls that can be made within a preset time interval.

d. Limit call credit and cancel auto refill

Telecom providers protect customers from exorbitant call costs by placing an upper threshold on the number of billable calls that a company can incur. Limiting the amount of credit and canceling auto-refill will help minimize the losses caused by toll fraud.

• Best Practice 2

Encrypt Calls

Encrypting your communications can prevent eavesdropping or tampering with audio streams between all endpoints.

a. Use TLS to encrypt signaling

Transport Layer Security (TLS) is a security layer in the form of a certificate that has to be authenticated before access is granted. With TLS enabled, your users’ names and phone numbers are hidden and unable to be retrieved by prying eyes and ears.

b. Use SRTP to encrypt media

To strengthen the security, TLS should be used together with SRTP on your phone system. These ensure SIP signaling and audio/video sessions safe from any malicious activities.

When unauthorized access is gained to SIP extensions, the potential for disruption is particularly significant. Criminals can exploit your phone system to make calls and launch other malicious attacks. Enforcing a strong password policy and placing restrictions on extension registration will help secure SIP extensions.

• Best Practice 1 

Use Strong Passwords

A weak password can leave a potential security gap that hackers can easily exploit. To that end, strong passwords should be used for every required feature in your PBX. In general, Yeastar PBX has passwords for extension registrations, the administration web interface, user web interfaces, and voicemails. You can protect the password in the following ways:

1. 1. Avoid the most common or system default passwords.
   2. Use a strong password of at least 8 characters, including a mix of upper case, lower case, and digits.
   3. Use different passwords for different accounts.

• Best Practice 2

Enable 2FA (Two-factor Authentication) 

Yeastar P-Series Phone System supports two-factor authentication that allows you to further protect your extension accounts by requiring two different types of information to log in. The first factor is what you already use to log into your account, like a password or a PIN. The second factor is usually a security code that is sent to your trusted devices or verified account email address.

 

• Best Practice 3

Restrict Extension Registration

Yeastar PBX System has strong anti-hacking mechanisms to safeguard SIP registration security, such as limiting extension registration to LAN only and blocking IP addresses for too many failed registration attempts. Moreover, you are given the following options to strengthen the security:

1. 1. Restrict the IP addresses from which extensions can register.
   2. Configure a complex authentication name completely different from the general default username.
   3. Place a restriction based on a phone’s user agent.

Though a wide range of measures can be taken to protect your PBX, there is no absolute safety. If an attacker successfully infiltrated your PBX or forced your PBX to fail, you should have a contingency plan.

• Best Practice 1

Establish Real-time Monitoring, Logging, and Alert on System Events

Leverage event logging to monitor and record the anomalous operations on your PBX, and subscribe to the critical events. When something goes wrong, you can get notifications timely and quickly find out where the problem lies and work out a solution.

If you are using a Yeastar PBX system, you can realize the real-time monitoring on the following two platforms:

1. 1. PBX Administrator Portal: manage a single PBX.
   2. Yeastar Remote Management: centrally monitor and manage numerous customer-premises PBXs.

• Best Practice 2

Schedule Auto Backup

1. 1. Schedule regular backups. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure a fast recovery.
   2. Store backups in external locations to prevent the risk of data loss from physical destruction or theft.
   3. Apply a backup retention policy. This helps limit the amount of historical and outdated data.

• Best Practice 3

Implement a Redundancy Solution

a. Hot Standby for on-premises PBX System (Hardware & Software-based)

Yeastar on-premises PBX system is equipped with the Hot Standby feature for free, which allows you to create a mirroring server pair and recover immediately when a failure occurs. To deploy the solution, you need two identical PBX servers, which should be the same in the following aspects: Product model, Firmware and hardware version, Software configuration, Local Area Network (LAN) Settings, and Hardware Installment.

With Hot Standby set up, the following can be achieved:

1. 1. Fast 1 to 10 seconds automatic recovery in event of any failure.
   2. Shared virtual IP between the paired active and hot-standby PBX servers, which ensures a complete system switch to the standby server when the active server fails, including all IP phones and third-party integrations connected to the PBX.
   3.  Instant email notification via email or call when a failover event occurs

 

b. High Availablity for Cloud PBX

Reliability is not a feature of the cloud; it is a requirement. Delivered in a cluster-based environment and managed by Yeastar, Yeastar Cloud PBX services feature a high-availability redundant deployment for enhanced disaster recovery, which is not the case for many single-instance cloud deployments.

PBX instances are deployed as primary and secondary pairs, i.e. the hot standby mode, to support seamless failover. We also leverage active/active load balancing to ensure optimal resource utilization among SBC servers. These servers are all powered by Amazon Web Services and located in various regions across the globe, adding more resilience to the entire service. There are more built-in security mechanisms in place to safeguard against malicious attacks.

Yeastar Cloud PBX 30-Day Free Trial

 

PBX providers can never be too careful with VoIP security. This is especially true when it comes to the system’s remote access. How to understand remote access?

For one thing, customers may request the ability to access their phone systems remotely via the Internet. Such remote connections are convenient and often necessary for frequent travelers, as well as for geographically dispersed locations or employees.

For another thing, PBX providers may need to establish a remote connection to provide remote PBX tech support, troubleshoot network problems, and resolve issues without the need to send a technician on site.

As is known, on-premises systems are often restricted to the physical office. Traditionally, to remotely access on-premises systems, PBX providers have to go through tricky PBX server and network settings, which might incur potential security risks.

Yeastar was looking for the best solution to help on-prem and software PBX users secure their remote access and ease through the configurations, and we made it. Through the innovative Yeastar tunneling services and Yeastar Remote Management tool, the remote connection is only one click away with the least IT and security concerns.

Secure Tunneling Services for Remote Business Communications & Collaboration

• Challenge

In an attempt to offer remote access for remote and mobile users, most on-premises PBX providers will recommend Port Forwarding. But this is not a good idea at all. Port Forwarding requires tricky server and network settings. Worse yet, it risks potential attacks by opening a port on the firewall, through which threat actors can easily get full control of the phone system.

• Solution

Yeastar provides innovative tunneling service for Yeastar on-premises and Software PBX, freeing you from risky port forwarding, tricky server setup, and troublesome NAT issues, so you don’t need to worry about exposing your intranet to the public, wasting time on complex deployment, or unstable call quality to happen and affect your remote business communications. And the best part of that, it takes only one click for you to enjoy hassle-free and secure remote communications.

The innovative tunneling service is named differently on different Yeastar PBX series

1. 1. Linkus Cloud Service Pro (LCS Pro) for S-Series VoIP PBX
   2. Remote Access Service (RAS) for P-Series PBX System.

• How secure is the solution?

a. Separate and Private Connection

Shield your company from the potential risks of PBX network penetration and subsequent issues of toll fraud, data breaches, and cyber-attacks alike. Yeastar tunneling service provides a tunneling server as an intermediary server for data transmission between the PBX and its remote SIP endpoints. Your PBX’s IP address won’t be exposed to the public. All remote connections are direct, undercover, and double safeguarded with account authentication.

b. Unbreakable and Impenetrable Encryption

All transmission between the PBX and the tunneling server is encrypted. And each PBX will have its exclusive encryption key. Even if the tunneling server is brought down by a hacker, it is very difficult to replace the tunneling service and get the original transmission data since the data is encrypted.

c. Per-service Remote Access Authorization

Yeastar tunneling service offers advanced access control to ensure further security. You can permit or block remote access for web access, Linkus access, SIP registrations, LDAP, and API, customize remote access authorization by extension or department, and apply IP restrictions to further secure all the remote access.

 

Device Remote Monitoring and Management

• Challenges

When it comes to remote support, most PBX providers will recommend either installing remote desktop software (e.g. AnyDesk and TeamViewer) on computers or doing Port Forwarding for the PBX, but both methods leave a port open, which could be easily exploited by hackers. What’s more, weak remote connections can make it easy for cybercriminals to break into the session and gain access to the customer’s computer or phone system.

• Solution

Delivered via the all-encompassing platform of Yeastar Central Management, Yeastar Remote Management allows Yeastar Partners to remotely manage and configure customer-premises Yeastar PBX systems and VoIP gateways in a secure manner.

With no Port Forwarding or VPN required, it offers encrypted device remote connection, round-the-clock remote system monitoring and alerts, and most importantly, permission-based remote system configurations. When an issue is detected on the customers’ devices, you receive notifications immediately and can take prompt actions without sacrificing system security.

More details about Yeastar Remote Management Solution

• How secure is the solution?

a. Bank-grade Remote Connection

All remote connections are HTTPS secured and conducted in an encrypted SSH tunnel to minimize network exposure and best protect the data integrity and confidentiality.

b. 2-way Connection Authentication

Connect remote Yeastar devices either by confirming Yeastar ID on the client’s device or by verifying the once-off remote connection authentication code on the client’s device. Both authentication methods require confirmation from the client, effectively keeping the Yeastar devices from being maliciously connected and data breaches.

c. Role-based Access Control

Add colleague accounts to co-manage customers’ devices. By limiting account permissions, you can realize granular administration and ensure that access to remote Yeastar devices is restricted to authorized engineers only for maintenance operations.

d. Remote Access Timeout Mechanism

Yeastar Remote Management provides a robust timeout mechanism to limit the time of every remote Yeastar device configuration, which means that after the configured time, the URL offered to access the remote Yeastar device will become invalid and the access will be terminated.

 

Secure Your VoIP Communications from Today

Organizations that secure voice traffic are more resilient than those that sit idle. A reputable PBX System like Yeastar can be the assurance you need to maintain a secure calling environment.

With over  15 years of expertise in the VoIP industry, Yeastar has been engineering VoIP PBX phone systems with the right functionality, flexibility, and security that modern businesses will need for their growth. Whether you need a Cloud PBX System or a hardware/software-based phone system, you can trust us with the industry-leading products and services.  Contact us for an inquiry today.

 

Leave a Reply Cancel comment reply

Your email address will not be published. Required fields are marked *

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

Comment