The Rising Threat of SIP-based Phone Hacking

By TMCnet Special Guest
Mykola Konrad, vice president of cloud and strategic alliances at Sonus Networks
  |  January 26, 2015

SIP has been billed as the future of communications, serving as the foundation for running VoIP networks and unifying communications. Its adoption has been growing steadily, up 42 percent in 2014 over 2013 and continuing to rise, according to Infonetics (News - Alert) Research. However, as companies deploy these SIP trunks, they’re susceptible to hackers performing denial of service-type attacks on their communications networks. While this issue is hardly a new concept, the rising ubiquity of SIP trunking and increased computing power has recently brought this issue to the forefront as large-scale availability of SIP trunks across the world expose new companies. The threat is imminent, and we'll see more attacks before the industry begins to understand how to handle them. However, to protect themselves, organizations need to start paying attention now.

The Nature of a SIP Attack

There are multiple avenues of attack through SIP, some at the IP or protocol layer and some at the voice application layer. Let’s consider the voice application aspect. If a company’s real-time communications network is exposed without proper safeguards, hackers can use PCs as a gateway to flood their network with voice or video calls. By using SIP, an attacker can target a company by creating a botnet that will use a calling application directed over a SIP trunk to repeatedly call an 800 number. Most attackers will then disguise themselves as an interconnect carrier and get paid each time a call to the 800 number originates, goes through the interconnect carrier, and then terminates with another carrier. These hackers make money off the delta between the origination and termination point, but the customer who is receiving the bogus call is stuck footing the bill. Not only do these insistent calls tie up phone lines and interfere with customer service, they can also cost companies exorbitant amounts of money. In 2013, the Communications Fraud Control Association estimates that fraud alone cost the industry $46.3 billion.

To prevent such a situation, it’s important for the enterprise to monitor traffic and take action quickly whenever possible. Since hacking typically originates in a handful of eastern European and African countries, watching for suspicious and unusual traffic from unfamiliar locations is a good start. As an example, take the case of a bank that started experiencing such a SIP attack. Customer service agents at the bank’s call center began receiving strange calls where no one was at the other end. The calls began sparingly – not frequently enough for anyone to mention or realize that this was becoming a normal occurrence. As these calls increased in frequency, agents began to take note. After an investigation, the carrier found the calls were originating in one primary country where they had no business presence. Ultimately, they easily solved the problem by blocking incoming calls from that region, and involved international government entities to pursue the hacker. However, the effects of the hack were far-reaching: money was lost and customer service had been slowed.

Planning Ahead

While it’s important to know how to fix a problem, ideally, it’s better to be able to prevent it in the first place. On the technology side, one of the main reasons that networks become exposed is that companies rely on old technologies to manage their security. These PBXs have been around for the past 10 to 15 years and are well known to hackers, who easily maneuver around them. Instead of relying on these, enterprises need to invest in newer, more secure technologies that can sit in front of the phone system or PBX (News - Alert) to block against hacks, and are relatively unknown to hackers.

At the same time, carriers – especially interconnect operators – need to be vigilant about managing call traffic. They need to analyze and share business information to marry the data provided by the enterprise about where their traffic is expected to come from with the call data they’ve been gathering, analyze it, and share their findings. Should they recognize suspect activity, they can work together to determine an appropriate strategy, such as blocking calls coming from suspect countries or regions like Serbia, Russia, and Zimbabwe. Though this sounds like a simple solution, it is much more difficult to achieve than expected. Most of these carriers work in silos and do not have the strategic business discussions that they need to stay ahead of such security issues.

With the current growth of SIP, these phone system attacks will become more mainstream unless the industry takes steps to make changes. With a little investment and collaboration, enterprises can be a step ahead of these attackers.

Mykola Konrad is vice president of cloud and strategic alliances at Sonus Networks

Edited by Maurice Nagle