The buzz in the telecommunications space is that VoIP is the end-all for seamless communications, but the hype surrounding the benefits often overshadows some real threats that exist. This is not to suggest that companies should avoid VoIP solutions, as the benefits are indeed significant. Instead, it’s simply important that IT managers have a realistic view of what could happen and how to make sure their systems stay protected.  

A recent Telecom Tech News post highlighted some of the vulnerabilities that exist with VoIP. Hackers know about these vulnerabilities and will go after them for profit. The biggest culprits involve three-way calls and call transfers. Hackers have the ability to inject call signals into the network, essentially hijacking calls. Service providers track the usage, but then have no one to bill.

Unfortunately, it’s rather simple to modify the setup of existing calls. Anyone who understands VoIP can easily make adjustments that mask calling activity from the service provider, meaning lost revenue. Until VoIP technology commands are sent with encryption requiring authorization, this vulnerability may continue to exist.

While these threats do exist and the vulnerabilities are inherent – just like anything else over the public Internet– it doesn’t mean that service providers have to be sitting ducks. For example, service providers can encrypt commands and signaling across the network. The challenge, of course, is that the process does incur an additional cost and it may cause performance issues.

A less intrusive approach is to introduce active VoIP policy controls in front of the call session control function (CSCF). As a gateway solution, it can block or challenge call control messages to prove authenticity before they are passed along to the CSCF. For this process to work successfully, service provider policy gateways have to easily adapt their methods to constantly evolving techniques and security threats.

VoIP switch vendors must be able to provide the reporting tools that allow for tracking and the identification of threats that currently exist. Such tools need to be configured so detect activity that may put the service provider or its customers at risk. VoIP fraud is big business in criminal sects around the world, and a lack of tracking at any time can leave a security gap big enough to draw in millions in stolen revenue.

The end user is generally unaffected by such intrusions, thus the service provider owes it to themselve to put systems in place to help recognize when they occur.