Business security voip

How to make your VoIP secure #fraud

VoIP securityIt’s a pretty simple process to set up your own VoIP phone system. Google “free VoIP server” and you will find links to 3CX or Asterisk. Download their free software and install it on a computer in your office. Sign up for a few SIP trunks from an Internet Telephony Service Provider (eg Timico) and you can be up and running making VoIP phone calls from your Local Area Network in an afternoon. You don’t even need to buy phones. You can download free soft phones that will run on a PC or a smart phone that will work perfectly well over WiFi. The cost is minimal. It’s as simple as that.

Except it isn’t. Now google “VoIP fraud” and you come up with over 7 million results on the subject. There are lots of high profile cases. Take the Australian business whose PBX was hacked and was hit with a $120,000 bill for 11,000 international calls in 2 days. A rogue operator selling cheap international calls was piggy backing on their system using it to forward calls from local originations in Australia without having to pay the costs.

Reality is that this isn’t specific to VoIP. It has always happened in the PBX world even in the “old ISDN days” but because systems are increasingly moving “on net” it means that we need to take new precautions. These security precautions are by and large no more than any business should be taking to protect their network assets. This post discusses what type of problems arise and the steps you should take to prevent them from happening.

How do crooks make money out of hacking VoIP systems?

There are two ways in which criminals make money out of VoIP fraud. Both involve hacking into someone’s system and using it as a proxy to:

  • Call premium rate numbers where they then earn inbound revenue share – known as revenue share fraud
  • International dialling to expensive destinations without having to pay themselves – known as toll fraud

The latter is usually sold as pre-paid low cost international calling, perhaps using calling cards. Your PBX is hacked and telephone extension routing set up to forward calls to numbers according to the type of fraud being perpetrated.

How does your system get hacked?

There are many possible ways for people to attack your system though this is largely only doable if you have elected not to take some basic security measures. Robotic IP address scanning is by far and away the most successful/prevalent. The rise of the internet has made it easy for people to find out how to hack into servers and moreover download the tools that can help them to do so.

Utilities such as SIP Vicious provide sophisticated means for detecting and penetrating a PBX when it is in active use. SIP Vicious provides four tools:

  • svmap

This SIP scanner scanner attempts to penetrate port 5060 on a firewall. Port 5060 is used by SIP systems for the voice signalling setup. Traffic hitting this port will be forwarded to the PBX.

  • svwar

Once the location of the PBX has been discovered this tool is used to collate information regarding the telephone extensions configured on the PBX.

  • svcrack

svcrack then uses brute force to perform dictionary attacks on the user account/telephone extension to discover its associated password.

  • svreport

Provides intelligence on the results of the hacking to the perpetrator. This information can then be used to log on as the user and manipulate the routing associated with that account.

For example a PBX system will normally support voicemail with multiple IVR options eg Press 1 to leave a message, Press 2 to forward to my mobile etc  One of these options will be used to programme in a route to a premium rate number or to an alternative call server at an international destination.

What can I do about it?

There are  few basic steps that you should be taking to secure your network from attack and fraudulent use. It goes without saying that you should be protecting your networked resources using a firewall. The firewall should, when sat in front of a VoIP server, have a rule set that only allows access to that server from trusted IP addresses (eg your IT department or the carrier gateways that carry the voice traffic to the PSTN) or from devices with specified static IP addresses or MAC addresses. The same applies to your rules on the PBX server itself – lock it down.

Never use the default password or pin number set by the vendor. In many cases these are simple entities such as”password” or “1234” and are often published on the web. Some open source software such as the 3CX server allows you to set the password of a VoIP account to be the same as the telephone extension of the handset. This is bad practice. Some vendors, IPCortex, for example, do not allow individuals to set their own passwords but automatically create strong passwords on the user’s behalf.

Many people use voip clients running on their mobile devices. It makes sense to protect mobile devices using a pin number for screen unlock and a Mobile Devce Management tool that can remotely kill the phone in the event that it is lost or stolen. This way at least you only lose the phone and not the thousands of pounds you may lose by inadvertently providing access to access to your PBX system.

Unused services such as voicemail should be disabled to prevent them being used fraudulently and any system patches provided by a vendor should be installed.

It’s also worth thinking about what you do with old equipment.  Perform a factory reset on a telephone handset or mobile device. This will remove any voip credentials that might allow a second hand purchaser to use the service. Remove passwords and uninstall soft client applications running on laptops. It is normally good practice to physically destroy the hard drives in such circumstances.

What can my service provider do to help?

Unless you have contracted your network security management to your telephony service provider your provider will expect you to have taken all necessary precautions to safeguard your system. As such the liability for the cost of any fraudulent calls lies with you, the user.

One way of minimising the risk is to use a prepay account with a limited spend. This is not practical for most businesses but your service provider should be taking its own steps to detect fraud. This is usually done by monitoring call patterns. If calls to certain destinations increase significantly this should alert the provider who can either contact you to determine whether the calls are genuine or to let you know that something is amiss. In extreme cases calls can be blocked first and checked for validity afterwards. This is not usually a completely real time service because there has to be some headroom for changes in call patterns. Also these attacks are often targeted over a weekend, overnight or during a holiday season when the office is closed but the PBX is still up and running. You should provide your service provider with an emergency out of hours contact for such eventualities.

To avoid the possibility of revenue sharing fraud it is quite normal for a service provider to block all calls to premium rate numbers unless you specifically request otherwise. Calls to premium rate numbers are not typically made by businesses.

Service providers also share details of numbers used in cases of fraud. The most recent show PBX hacking cases into St Kitts, Morrocco, Algeria, Senegal, Mauritania, Niger, Benin Sao Tome, Diego Garcia, Seychelles, Ethiopia, Spain, Bosnia, Nicaragua, Chile, Papua new Guinea and many others including satellite calls. There is clearly a trend.


VoIp fraud is largely not specific to VoIP but follows a pattern that has been long established in the PBX world. Failure to guard against it can result in large costs to your business. However there are some simple steps that can be taken to safeguard against this.

Trefor Davies

By Trefor Davies

Liver of life, father of four, CTO of, writer, poet,

2 replies on “How to make your VoIP secure #fraud”

I’d also add to make sure that any telephone handsets you use are secure. People sometimes attack the phones as well as the PBX.

Use up to date firmware as many security holes in phones have been closed.

Set a strong web password on the phone. Some phones have a user as well as a admin account. Set passwords on both. Ideally, protect the web interface with your firewall.

I wrote a fraud detection script on my platform about 2 years ago, surprising it has never failed to detect actual fraudulent calls. On average it is stopping and blocking calls within 2 minutes of them occurring. This is the kind of thing users should be demanding from their ITSP.

Limiting losses to prepay balance is a cop-out by the ITSP IMO.

In my experience trying to contact admins of compromised systems at 3AM Sunday morning is a fruitless exercise.

I would also echo Tim’s comments as a minimum setup requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.