Skip to main content

There is one device that is found on almost every desk in a company and that is rarely (and erroneously) considered a security threat: the VoIP phone.

Never underestimate the ingenuity and effort that thieves can channel into their “work. If criminal experts learn of unspeakable wealth stored in a bank vault, they won’t be discouraged by a six-inch steel door, alarms and CCTV systems; somehow they will find a way to act. Even if this means drilling several meters of concrete during a weekend. With this metaphor, which can easily be adapted to businesses, Jabra begins its reflection on the current cyber security scenario. Cybercriminals are just as skilled and determined as their colleagues in the offline world; if they know that there is valuable data to steal, they will use the most subtle and ingenious methods to bring the result home.

Organizations can spend millions of dollars protecting their networks with the best software and security systems, but while these solutions can certainly counter the most “direct” attacks, they also force hackers to be more creative and analyze their goals to discover weaknesses to take advantage of.

This approach has contributed to an unprecedented increase in cybercrime, which in 2016 cost businesses $388 billion. And while companies defend themselves against more traditional methods, such as malware and intrusions through social networks, criminals diversify their tactics. The next battle in the ongoing war for security will be centred on devices that, thanks to the Internet of Things, proliferate at an astonishing rate. And there’s a device on almost every desk, an object that’s rarely considered a security threat: the simple phone.

In general, people tend not to think of telephony as a realistic attack vector for hackers, especially as they forget that today’s devices are certainly not comparable to the analog devices of past decades. An IP-based phone is a fully-fledged sophisticated processing device, with network software and connectivity that can easily provide an opportunity for hackers looking for “perfect vulnerability”.

If this is alarming, to further increase fears, we must also consider a recent research by F5 Networks focused on the series of cyber attacks that hit companies in Singapore in June this year.

Analysts have found that almost 90% of “malicious” traffic (originating in Russia) was specifically directed to VoIP telephones, coinciding with the Trump-Kim summit. Evidence shows that with attacks on these devices (models typically found in hotels where high-level delegates stay) hackers would be able to intercept some of the most sensitive conversations imaginable.

Specialist companies that implement VoIP telephones could pretend nothing and ask themselves why the tactics of this “cold war” carried out by hackers should be of interest to them as well. The answer is that hackers have made their bones by targeting people and businesses of great value. Once a technology or technique has been proven to the detriment of “valuable” victims, hackers can test it in other areas, but they can also sell this know-how and developed tools on the Dark Web. So even though IP is not yet a major attack vector for today’s cybercriminals, it would be crazy to imagine that IP telephony is not a vulnerability that will be targeted and exploited in the near future.

Any company conducting conversations focused on sensitive data must protect incoming and outgoing calls from those who are just waiting to steal anything of value, from trade secrets to customer credit card numbers. The solution is surprisingly simple and focuses on removing the key vulnerability exploited by hackers: the connection between a wireless headset and its base station.

These last few centimetres are easy to overlook, which is why they are such an attractive target for cybercriminals. If they can access this connection, hackers will have an easy time intercepting any potential secrets or parts of sensitive information from telephone conversations.

That’s why organizations that take security seriously should choose telephony hardware with secure encryption, authentication, and secure pairing between the device/headset and the base unit, like the new Jabra Engage headset. This means that an unpaired drive (like the one developed by a hacker a few tens of meters from the office) cannot access the connection and then intercept the conversation.

The combination of the base station and the device is not new, but the latest standard is “assisted physical pairing”. This occurs when the headset is inserted into the base unit, and when a secret connection key is created to connect it. Similarly, authentication has been in use for a long time, but security standards can vary enormously, which is why security companies should focus on headset/basic unit pairing.

Many headsets with Digital Enhanced Cordless Telecommunication (DECT) have some form of authentication and encryption, but these are often limited standards. Basic encryption can reject an improvised hacker, but to be completely secure an organization needs the highest standard:

ideally, military technology such as 256-bit Advanced Encryption Standard (AES) encryption, which provides a line of defense that goes beyond the Security Level C of the DECT system.

Unlike many online defense technologies, secure telephony is not difficult to implement. It requires little or no ongoing management – all it needs is threat awareness and the willingness to install a secure solution while upgrading the telephony infrastructure. Of course, secure telephony will not prevent hackers from testing other parts of cyber defenses. However, a ‘door open’ will close.

Translated by:  LUBEA News on-line

Date: 2018 – 07 – 31

Written by: Francesco Destri