VoIP Security: Vulnerabilities & Best Practices

In the past year, the VoIP industry faced a loss of $50 billion US dollars due to VoIP fraud and attacks. When threats become unpredictable and remote-work-related risks ever increase, security is key. VoIP hacking and attacks can come from the Internet or telephone lines exploiting any vulnerabilities and eventually exposing your organization to toll fraud and theft of confidential information.

So how can you protect your business-crucial PBX system from potential net threats and internal malfeasance?

This blog introduces the must-have security policies and Yeastar PBX System’s innovative services and features that effectively shield you from attacks.

Table of Contents

• 6 types of common VoIP vulnerabilities and attacks
• VoIP PBX security checklist
• Best practices to defend against network security threats
• Best practices to mitigate SIP communication risks & secure IP endpoints
• Must-haves in your VoIP security contingency plans
• Security solutions for PBX remote access and communications
• ⏵For PBX end users: tunneling services
• ⏵For PBX resellers, MSPs, and providers alike: device remote management

To avoid security breaches in your VoIP PBX phone system, it is important to understand the potential vulnerabilities and the common types of cyberattacks.

Potential PBX Security Vulnerabilities

• Weak or stolen usernames and passwords
• Back doors and application vulnerabilities
• Poor access control
• Unencrypted connections
• Data breach caused by human error

Common Types of Cyberattacks and VoIP Security Treats

1. Toll Fraud

• Attack Action: Make international calls from your VoIP network, at your expense.
• Attack Purpose: Generate a high volume of international calls to premium rate numbers and then collect the revenue.

2. Reconnaissance

• Attack Action: Gather all possible information about the target before launching an actual attack.
• Attack Purpose: Identify vulnerabilities and weaknesses, and then create a successful exploit.

3. Denial-of-Service (DoS)

• Attack Action: Flood a server with an overwhelming amount of requests and use up all of its bandwidth.
• Attack Purpose: Prevent users from accessing connected online services or sites.

4. Spoofing

• Attack Action: Impersonate an individual or a company that the victims trust.
• Attack Purpose: Gain access to personal information or steal data.

5. Man-in-the-Middle

• Attack Action: Eavesdrop on the communication between two targets.
• Attack Purpose: Steal sensitive data, such as login credentials, account details, and credit card numbers.

6. Spam Over Internet Telephony (SPIT)

• Action: Bulk and unsolicited robot calls and voicemails over VoIP to phones connected to the Internet.
• Purpose: Trick the victim into answering or listening to a robocall for high international calling fees.

VoIP Security Checklist: How to Secure Your VoIP Phone System  

The complexity and variety of cyberattacks are ever-increasing, with different types of attacks for different malicious purposes. While countermeasures differ for each type of attack, good security policies help mitigate the risks. In many cases, the best way to safeguard a PBX phone system is to implement a multi-layered security solution. This means that you need to deploy multiple defense measures to protect the vulnerable points of your phone system. Each layer increases overall protection and continues to offer system defense even when one of the layers is breached.

The following are some best practices that can be used to build multi-layered protection for your VoIP phone system.

1. Keep Your PBX and SIP Endpoints Updated

An up-to-date firmware or software version works like a protective cover to shield your PBX or SIP endpoints from security threats. Typically, the most recent version is often the most secure with bugs and other vulnerabilities being found and fixed. In addition, with technology evolving, some critical security features or layers of protection are only supported on the latest version.

Your organization’s network is the first line of defense against cybercrime. If a hacker gains access to your organization’s network that supports VoIP communications, it can result in Denial of Service (DoS) attacks or significant decreases in Quality of Service (QoS). To prevent this from happening, you need to avoid exposing the PBX’s intranet to the public and block unauthorized access.

• Best Practice 1

Avoid Port Forwarding

In an attempt to offer remote access for remote and mobile users, most on-premises PBX providers will recommend Port Forwarding. But this is not a good idea at all.

Essentially, Port Forwarding maps an external port on your public IP address to the PBX that is within your private Local Area Network (LAN). This exposes your PBX on the Internet and brings potential risks because hackers could penetrate your network through the forwarded port. As a matter of fact, hacking through port forwarding has been the most common way for hackers to launch attacks.

You will need a more secure way to maintain remote access for needed features and in the meanwhile, avoid using port forwarding that exposes your LAN.

To solve the dilemma, you might leverage tunneling services like Yeastar Linkus Cloud Service Pro (LCS Pro) or Remote Access Service (RAS). Coming packed with industrial-grade cloud and encryption technology, the Yeastar tunneling service creates a secure way for PBX’s remote SIP access and business communications.  It not only avoids the PBX port forwarding but double-secures the system with granular permission control.  You can decide which IP addresses and Extension accounts are allowed to access your PBX remotely via the service, and what PBX services are allowed for remote access.

• Best Practice 2

Block Unauthorized Access to Your PBX

Block unwanted and unauthorized access to your PBX can significantly decrease the possibility of your system being hacked. It is a vital step to prevent telephone hacking and mitigate the potential damage and financial losses to your business.

a. Global Anti-hacking IP Blocklist

Yeastar P-Series Phone System comes equipped with a Global Anti-hacking IP Blocklist Program, which centrally records a wide range of IP addresses that have been blocked by Yeastar PBXs worldwide and that are suspected of malicious activity or attack.

The IP blocklist is shared among all the Yeastar PBXs and is regularly updated on a weekly basis to incorporate the newly discovered malicious IP addresses. With the Global Anti-hacking IP Blocklist, all connections to your PBX from the IP addresses in the blocklist will be dropped

b. Restrict system access from specific countries or regions

If you find an increase in attacks on your PBX from a particular country or region, you can use geographic restrictions (also known as geo-blocking) to prevent visitors in specific geographic locations from accessing the PBX. By checking a visitor’s IP address against the PBX’s database, unauthorized access can be denied.

c. Restrict system access with firewall rules

Yeastar P-Series Phone System has inbuilt firewall rules to only accept trusted traffic. You can also create firewall rules on your PBX to allow or block traffic from specific source IP addresses/domains, ports, and MAC addresses. In doing so, suspicious access that might contribute to attack fraud or call loss will be automatically blocked.

To prevent massive connection attempts or brute force attacks, you can also utilize the PBX’s inbuilt IP-Auto-Defense feature to define the allowed number of IP packets within a specific time interval. If any IP sends IP packets exceeding the limit, the system will automatically block the IP.

In the event that hackers gain access to extension credentials, they could exploit extensions to make fraudulent calls at your expense. Restricting the use of outbound calls can minimize the potential financial loss to your business when toll fraud occurs.

• Best Practice 1 

Set Rules for Outbound Calls

a. Different rules for different time periods

Hacking attempts are usually made during non-business hours, over weekends, and during holiday periods when the system is less attended. You can leverage the Time Condition feature to implement different inbound or outbound call restriction rules for different time periods to reinforce the automatic control. For example, you might create a Time Condition called “Holidays”, and disable outbound calls during holidays by applying the Time Condition to an outbound route.

b. Permission to only those who need it

Your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Consider configuring different outbound routes for different trunks (e.g. local, long-distance, and international), and assign outbound route permissions only to the users who require the use of it.

c. Password-based Authentication

Set password for outbound route to require callers to enter a PIN code before dialing out.
Only when a valid PIN code is entered can the call be routed out through the outbound route,
this avoids fraud, abuse, or misuse of calls. Beyond that, you can easily track the originator of
outbound calls for auditing or other purposes.

d. International Calls to Only Trusted Countries/Regions and Only If Necessary

If your company is engaged in international business and your employees need to make international calls, you can set up international dialing on the PBX. However, this puts your system in danger of international toll fraud and may result in significant financial loss.

To mitigate the risk, restrict country codes to allow international outbound calls only to the countries/regions that your employees need to call. In the meantime, give international dialing permission only to the extension users that are required.

e. Frequency Caps within a Given Time Period

Once hackers infiltrate your phone system, they can easily rack up tens of thousands of dollars
by making large volumes of calls. It is recommended that you limit the number of outbound
calls that extension users can make within a certain time period. When the limit is reached, any further outbound calls from the extension will be denied

f. Simultaneous Call Limit

Limiting the number of simultaneous outbound calls on SIP trunks helps meet specific licensing or billing requirements and, more importantly, prevents hackers from generating a high volume of calls over the trunks without limitation. Once the specified number of simultaneous calls is reached and a user attempts to place another call, that call will be rejected.

g. Auto Hang-up with Call Timer

Implement call duration restrictions on the whole system or on specific extension users to automatically terminate outbound calls when the specified time limit is reached. This helps
prevent potential misuse and abuse of the phone system and allows for better control over call
costs.

h. Ceiling on Telephone Bills

Telecom providers protect customers from exorbitant call costs by placing an upper threshold
on the amount of billable calls that a company is able to incur. Contact your provider to limit the amount of credit and cancel auto-refill, this will help minimize the losses caused by toll fraud, if any.

When unauthorized access is gained to SIP extensions, the potential for disruption is particularly significant. Criminals can exploit your phone system to make calls and launch other malicious attacks. Enforcing a strong password policy and placing restrictions on extension registration will help secure SIP extensions.

• Best Practice 1 

Prevent Unauthorized Extension Registration

Yeastar Phone System has a built-in account lockout policy to prevent unauthorized access to extension accounts by automatically locking out the risky accounts after a certain number of failed registration attempts from the same IP address.

Moreover, there are several options available to enhance extension registration security:

1. 1. • Use complex names and passwords for registration
      • Configure a complex authentication name that is completely different from the general default one for authentication.
      • Restrict extension registration based on user-agent strings.
      • Restrict the IP addresses from which extensions can register.
      • Restrict multiple registrations on the same extension.

• Best Practice 2

Enforce Strong Authentication & Granular Access Control for Extension Login 

Yeastar P-Series Phone System has a built-in account lockout policy to prevent unauthorized access to PBX by automatically locking out the risky accounts after reaching the maximum number of failed login attempts. Moreover, there are several options available to enhance extension login security:

1. 1. • Two-factor Authentication (2FA)
      • Single Sign-on (SSO)
      • User Roles and Permission Management

• Best Practice 3

Encrypt SIP Signaling and Media Streams

Yeastar PBX System also provides you with the choice to add a layer of encryption to phone calls and streaming media of SIP extensions. This encryption can be implemented using the two standard internet protocols:

1. • Transport Layer Security (TLS): A widely accepted cryptographic protocol that provides data security and privacy between two communicating applications. When SIP signaling is encrypted by TLS, the users’ names and phone numbers are hidden and unable to be retrieved by prying eyes and ears.
   • Secure Real-time Transport Protocol (SRTP): An RTP (Real-time Transport Protocol) profile intended to add further security measures such as message authentication, confidentiality, and replay protection to the RTP data. With SRTP enabled, the actual audio of the call and video media stream are encrypted to prevent interception and eavesdropping on phone calls.

Though a wide range of measures can be taken to protect your PBX, there is no absolute safety. If an attacker successfully infiltrates your PBX or forces your PBX to fail, you should have a contingency plan.

• Best Practice 1

Establish Real-time Monitoring, Logging, and Alert on System Events

Leverage event logging to monitor and record the anomalous operations on your PBX, and subscribe to the critical events. When something goes wrong, you can get notifications timely and quickly find out where the problem lies and work out a solution.

If you are using a Yeastar PBX system, you can realize real-time monitoring on the following two platforms:

1. 1. PBX Administrator Portal: manage a single PBX.
   2. Yeastar Remote Management: centrally monitor and manage numerous customer-premises PBXs.

• Best Practice 2

Schedule Auto Backup

1. 1. Schedule regular backups. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure a fast recovery.
   2. Store backups in external locations to prevent the risk of data loss from physical destruction or theft.
   3. Apply a backup retention policy. This helps limit the amount of historical and outdated data.

• Best Practice 3

Implement a Redundancy Solution

a. Hot Standby for on-premises PBX System (Hardware & Software-based)

Yeastar’s on-premises PBX system is equipped with the Hot Standby feature for free, which allows you to create a mirroring server pair and recover immediately when a failure occurs. To deploy the solution, you need two identical PBX servers, which should be the same in the following aspects: Product model, Firmware and hardware version, Software configuration, Local Area Network (LAN) Settings, and Hardware installation.

With Hot Standby set up, the following can be achieved:

1. 1. Fast 1 to 10 seconds of automatic recovery in the event of any failure.
   2. Shared virtual IP between the paired active and hot-standby PBX servers, which ensures a complete system switch to the standby server when the active server fails, including all IP phones and third-party integrations connected to the PBX.
   3.  Instant email notification via email or call when a failover event occurs

b. High Availablity for Cloud PBX

Reliability is not a feature of the cloud; it is a requirement. Delivered in a cluster-based environment and managed by Yeastar, Yeastar Cloud PBX services feature a high-availability redundant deployment for enhanced disaster recovery, which is not the case for many single-instance cloud deployments.

PBX instances are deployed as primary and secondary pairs, i.e. the hot standby mode, to support seamless failover. We also leverage active/active load balancing to ensure optimal resource utilization among SBC servers. These servers are all powered by Amazon Web Services and located in various regions across the globe, adding more resilience to the entire service. There are more built-in security mechanisms in place to safeguard against malicious attacks.

Yeastar Cloud PBX 30-Day Free Trial

c. Disaster Recovery

Disaster Recovery is a crucial aspect of any modern communication system. It refers to the ability to smoothly continue telephony services in the event of a disaster or unforeseen event.  Yeastar Software PBX users can create a PBX replica in a redundancy site and ensure uninterrupted telephony services in case of a primary site failure.

The geo-redundant setup boasts the following key advantages:

1. • Real-time data mirroring to the redundancy site. No data loss or manual backup is required.
   • Automatic failure detection & fallback, ensuring minimal downtime during critical situations such as natural calamities, power outages, or network failures.
   • Inbuilt SD-WAN service for secure remote server networking or bring your own VPN service
   • Instant notification by call and email for any PBX server failure or automatic failover
   • Super simple setup
   • Can be combined with PBX Hot Standby (local redundancy setup) to build a higher level of system redundancy

PBX providers can never be too careful with VoIP security. This is especially true when it comes to the system’s remote access. How to understand remote access?

For one thing, customers may request the ability to access their phone systems remotely via the Internet. Such remote connections are convenient and often necessary for frequent travelers, as well as for geographically dispersed locations or employees.

For another thing, PBX providers may need to establish a remote connection to provide remote PBX tech support, troubleshoot network problems, and resolve issues without the need to send a technician on site.

As is known, on-premises systems are often restricted to the physical office. Traditionally, to remotely access on-premises systems, PBX providers have to go through tricky PBX server and network settings, which might incur potential security risks.

Yeastar was looking for the best solution to help on-prem and software PBX users secure their remote access and ease through the configurations, and we made it. Through the innovative Yeastar tunneling services and Yeastar Remote Management tool, the remote connection is only one click away and has the least IT and security concerns.

Secure Tunneling Services for Remote Business Communications & Collaboration

• Challenge

In an attempt to offer remote access for remote and mobile users, most on-premises PBX providers will recommend Port Forwarding. But this is not a good idea at all. Port Forwarding requires tricky server and network settings. Worse yet, it risks potential attacks by opening a port on the firewall, through which threat actors can easily get full control of the phone system.

• Solution

Yeastar provides innovative tunneling service for Yeastar on-premises and software PBX, freeing you from risky port forwarding, tricky server setup, and troublesome NAT issues, so you don’t need to worry about exposing your intranet to the public, wasting time on complex deployment, or unstable call quality to happen and affect your remote business communications. The best part of that, it takes only one click for you to enjoy hassle-free and secure remote communications.

The innovative tunneling service is named differently on different Yeastar PBX series

1. 1. Linkus Cloud Service Pro (LCS Pro) for S-Series VoIP PBX
   2. Remote Access Service (RAS) for P-Series Phone System.

• How secure is the solution?

a. Separate and Private Connection

Shield your company from the potential risks of PBX network penetration and subsequent issues of toll fraud, data breaches, and cyber-attacks alike. Yeastar tunneling service provides a tunneling server as an intermediary server for data transmission between the PBX and its remote SIP endpoints. Your PBX’s IP address won’t be exposed to the public. All remote connections are direct, undercover, and double-safeguarded with account authentication.

b. Unbreakable and Impenetrable Encryption

All transmission between the PBX and the tunneling server is encrypted. Each PBX will have its exclusive encryption key. Even if the tunneling server is brought down by a hacker, it is very difficult to replace the tunneling service and get the original transmission data since the data is encrypted.

c. Per-service Remote Access Authorization

Yeastar tunneling service offers advanced access control to ensure further security. You can permit or block remote access for web access, Linkus access, SIP registrations, LDAP, and API, customize remote access authorization by extension or department, and apply IP restrictions to further secure all the remote access.

Device Remote Monitoring and Management

• Challenges

When it comes to remote support, most PBX providers will recommend either installing remote desktop software (e.g. AnyDesk and TeamViewer) on computers or doing Port Forwarding for the PBX, but both methods leave a port open, which could be easily exploited by hackers. What’s more, weak remote connections can make it easy for cybercriminals to break into the session and gain access to the customer’s computer or phone system.

• Solution

Delivered via the all-encompassing platform of Yeastar Central Management, Yeastar Remote Management allows Yeastar Partners to remotely manage and configure customer-premises Yeastar PBX systems and VoIP gateways securely.

With no Port Forwarding or VPN required, it offers encrypted device remote connection, round-the-clock remote system monitoring and alerts, and most importantly, permission-based remote system configurations. When an issue is detected on the customers’ devices, you receive notifications immediately and can take prompt actions without sacrificing system security.

More details about Yeastar Remote Management Solution

• How secure is the solution?

a. Bank-grade Remote Connection

All remote connections are HTTPS secured and conducted in an encrypted SSH tunnel to minimize network exposure and best protect the data integrity and confidentiality.

b. 2-way Connection Authentication

Connect remote Yeastar devices either by confirming the Yeastar ID on the client’s device or by verifying the once-off remote connection authentication code on the client’s device. Both authentication methods require confirmation from the client, effectively keeping the Yeastar devices from being maliciously connected and data breaches.

c. Role-based Access Control

Add colleague accounts to co-manage customers’ devices. By limiting account permissions, you can realize granular administration and ensure that access to remote Yeastar devices is restricted to authorized engineers only for maintenance operations.

d. Remote Access Timeout Mechanism

Yeastar Remote Management provides a robust timeout mechanism to limit the time of every remote Yeastar device configuration, which means that after the configured time, the URL offered to access the remote Yeastar device will become invalid and the access will be terminated.

Secure Your VoIP Communications from Today

Organizations that secure voice traffic are more resilient than those that sit idle. A reputable PBX System like Yeastar can be the assurance you need to maintain a secure calling environment.

With over  18 years of expertise in the VoIP industry, Yeastar has been engineering VoIP PBX phone systems with the right functionality, flexibility, and security that modern businesses will need for their growth. Whether you need a Cloud PBX System or a hardware/software-based phone system, you can trust us with industry-leading products and services. Contact us for an inquiry today.

Leave a Reply Cancel comment reply

Your email address will not be published. Required fields are marked *

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

Comment