The Role of Encryption with VoIP

Posted on: 2018-03-13 | Categories:SIP

It is hard to avoid the subject of security when talking about any enterprise technology. With security breaches making headlines almost every day, organizations are concerned about securing their networks. Much of the public spotlight falls on securing data from unauthorized access. High profile incidents in the past have demonstrated the ease with which criminals gain access to corporate networks. Encryption with VoIP can help with this.

Threat Model for VoIP Phones

Enterprises appear to be less concerned about their phone systems. Part of it is that few people have extensive experience with VoIP, as compared to traditional PBX tools. The threat model for the PSTN system is very different from the phones we use today.

There are four main ways to eavesdrop on traditional landlines. The easiest is to listen to conversations using an extension on the same line. The second method is to use eavesdropping equipment anywhere along the phone line. The third option is to get access to the main telephone switch. It is often used by law enforcement officials, and most countries have legislation for this specific purpose. The final method is to eavesdrop on the main trunk lines.

Many people assume that VoIP phones face the same threats. It could not be further from the truth. VoIP phone systems route voice calls over data networks, like email. It means that the threat model for VoIP has more in common with IP networks than the PSTN. Eavesdroppers can listen to conversations from anywhere in the transmission path. VoIP endpoints (handsets, computers, and mobile devices) are vulnerable as well.

VoIP data packets travel over corporate data networks, through undersea backbone cables, and over the unsecured Internet. Any person or organization in the transmission path can intercept the data packets. It includes Internet service providers, corporations, and criminals who hack their way into those computers. After the Snowden revelations, we know that governments can and do eavesdrop on conversations as well.

The Role of Encryption

Encryption plays an important role in securing enterprise VoIP systems. Your voice calls are vulnerable to interception at multiple points by various entities. Some phone calls will be innocuous – customer service calls, tech support calls, routine sales calls etc. But many phone calls involve confidential or sensitive business data. All that information is available to anyone with technical know-how, appropriate access (legal or otherwise) and the right equipment.

Encrypting your voice calls means that intercepting calls is a waste of time for anyone. Without the correct decryption keys, hackers will only hear gibberish. They won’t have a way of getting the data they were after. Encryption offers pretty good value for any business. You have a reasonable guarantee that all conversations remain confidential between the parties involved.

However, not all service providers offer encryption and not all clients insist on it. Why? Encryption demands a price. Encrypting all your phone calls puts an additional burden on your bandwidth. Since bandwidth is expensive, organizations have a strong incentive to ignore security concerns. It can increase latency and decrease packet transfer speeds. It is hard enough to direct data streams across firewalls and routers. Encryption adds another layer of complexity to the network.

Encryption Won’t Solve All Your Security Problems

On the one hand, we have organizations that pay little attention to encryption. On the other hand, we also have providers that tout encryption as the only solution you will need. It is important to keep in mind that encryption will not secure your phone calls completely.

Even with encryption in place, criminals can use several other methods to get into your network and steal data. For instance, no amount of encryption can prevent viruses or Trojans on your computers from recording phone calls placed on the machine. If an employee leaves their account credentials in plain sight, anyone can access their account and make changes. Hackers can log legitimate users out of their own accounts and prevent administrators from tracking their footsteps.

Similarly, your phone system is vulnerable to Distributed Denial of Service attacks. Hackers can get access to other parts of your network through the IP PBX. Your phone calls are protected but not other corporate data in such an attack. Any current or former employees who have physical access to servers can also access confidential data.

Criminals can perpetrate telecom fraud by making unauthorized or even spam calls from your system to international numbers. Companies have become liable for thousands of dollars worth of unauthorized phone calls made over a weekend. Encryption is of no help in any of the above scenarios.

In the end, it boils down to the simple fact that organizations need to treat VoIP systems on a par with other computing infrastructure. The precautions that work for securing computers, mobile phones, servers, and other network equipment are needed for VoIP as well. Businesses have to secure their equipment, data, and transmissions at all times.