How to know if your Communication Network is Hacked
In 2017, nearly 46% of all illegal calls made globally involved VoIP (Voice over Internet Protocol).
If you are responsible for the communications security of an enterprise, this is alarming. VoIP is now a hugely popular technology with a large user base (there were nearly 1 billion mobile VoIP users in 2017.)
Communication systems, even with today’s technological advancements, are never hundred per cent secure. And now because of Covid-19, remote workers are becoming the norm overnight, which dramatically increases the possibilities of a network being hacked.
One security measure that organizations implement to limit these risks is a Session Border Controller (SBC), a network element that secures VoIP-based communication implemented using SIP (Session Initiation Protocol). But SBCs are not a one-stop solution that completely eliminates VoIP hacks. SBCs, very similar to firewalls, are susceptible to misconfigurations, sustained / sporadic attacks, and need regular monitoring and updates. Organizations are susceptible to threats like toll fraud, snooping/eavesdropping, data leaks and identity theft, even with an SBC in place.
And these are serious threats. Just toll fraud itself is, in fact, a multi-billion dollar liability world-wide. In 2012, Albany based consulting firm American Energy Care received a phone bill of $200,353 which for them was completely unusual. Investigation showed they were victims of toll fraud, where hackers used their communication network to make phone calls top premium rate numbers. This hack cost victims $4.73 billion globally that year.
Modern Solutions to Modern Threats
The need for unified communications security is critical in today’s complex communication environment within enterprises. Collaboration security is a matter of securing each individual communication technology and device within the enterprise, as every element within the network is susceptible to attacks.
There are many steps you can take to analyze the state of the SBC and VoIP network of your enterprise. The following 5 signs are an indication of a compromised SBC or VoIP network:
5 Questions that can tell you if you’ve been hacked
1. Are you regularly noticing Erratic call performance and behavior
An SBC regulates the quality of calls through features like rate limiting, resource allocation, media transcoding / encryption, etc. In an ideal scenario, VoIP communication should not be distorted/choppy, and the performance and quality should be consistent. Occasional distortion can, of course, be expected, but sudden and constant erratic behavior in performance and quality can be signs of a compromised VoIP system or SBC. A call trace through sniffing the signaling packets, injection of unwanted packets into the signaling or media stream or real-time media snooping, for example, can result in poor call quality.
2. Are you seeing irregular data usage, call history or billing patterns
In 2019, a Pune-based company noticed that their factory telephone bill had spiked by over INR 1 million. What went wrong? Investigation showed that their phone network was hacked and the attackers used the firm’s network to make calls to premium-rate telephone numbers in Gambia, Somalia and the Maldives. A classic example of toll fraud.
The firm had SBCs in place, but the hackers had undertaken a long-term brute force approach. Using a 3rd party sip client, they had made registration attempts to a single station. To avoid getting blocked by Session Manager, the hackers would back off after every 2 attempts. This had continued for weeks and finally, the hackers had broken in. Unfortunately, because the company had allowed unlimited outbound / international calls, the hackers could dial out to the premium rate numbers and defraud the company.
We know of other cases where phone hackers found their way into the network and kept milking it steadily — bills in the company went up slowly, month over month, so hardly anyone noticed it. One company had been taken for over half a million dollars over a one-year period. The good news, if it can be called that, was that these hackers had only focused on toll fraud — they could’ve used the hack as a jumping off point for lateral attacks.
VoIP systems and SBCs provide a good amount of analytics on network data usage (number of calls made, minutes per call, data packets transferred, etc.). You can analyze this call and communication history to find irregularities, which are a tell-tale sign of a hacked VoIP channel. Compare current and past traffic in order to detect irregularities or to identify a call or communication that was not made from company personnel.
3. Do you see sudden one-way talk path issues
A one-way talk path issue is when one call participant can hear clearly while the other cannot. This happens when the voice call connection is successfully made. But packets move only in one direction so one participant can hear while the other cannot (or sometimes there is no packet flow, resulting in both participants unable to hear each other). While infrequent one-way talk path issues may occur in a VoIP setup, if there is a sudden onset of frequent one-way talk path issues, it could be a sign of a compromised SBC or VoIP. A hack like a call hijack, BYE suppression or a sniffing attack can result in packet loss, which will manifest as a one-way (or no-way) talk path issue.
4. Does your webcam or microphone automatically switch state
Here is a photo of Mark Zuckerberg at office.
He looks happy, making his billions. Also notice that his laptop’s microphone jack and Camera are taped over. If one of the richest men in the world tapes over his laptop camera and mic, there must be a good reason for it. And the reason is: laptop cameras and mics can be remotely hacked.
In the case of your communications network, if the webcam or microphone of your computer on which calls are being made (via softphone application software), or the microphone of your VoIP phone automatically switches on, it’s a clear sign of either a hacked computer or a hacked VoIP network. Normal softphones do not auto-switch on/off any device or feature without manual authorization.
5. Does your log show suspicious SIP sessions
Analyzing SIP sessions are a great way to flush out hacks. A regular SIP session should look like:
Any irregular entry (as highlighted in the image below) in the SIP session logs is an indicator of a compromised VoIP network or SBC. The following image shows an example of a log entry in case of a call trace that is performed via RTP:
Securing VoIP and the SBC
Security is not a one-time activity, but a consistent on-going task. Attacks can be prevented by taking the following security measures:
- Regularly update all firmware and software pertaining to SBC systems.
- Limit admin access to core security team members for added security.
- Regularly monitor and audit call and session logs for discrepancies.
- Implement network, VoIP and SBC monitoring tools that provide real-time alerts.
- Educate employees who use VoIP to look for signs of compromise.
- Implement additional security barriers like blacklisting/whitelisting numbers for premium rate numbers and sanctions barred countries.
- Enforce strong authorization password on all VoIP devices.
- Separate VoIP and data network for added security and ease of troubleshooting.
While you cannot actually guarantee absolute protection from threats, with consistent effort and best practices, you can ensure maximum security of all enterprise-level messaging collaboration devices and technology.
Two things to focus on:
- Ensure that your SBCs are configured well, and the configuration is maintained
- Regularly review your system logs to identify ongoing attacks or odd system behavior (which might be indicators of compromise)
Talk to your Avaya Account Manager about Assertion’s SBC Security Solution — an automated solution that tell you if you are secure or if you’ve been hacked. Delivered to you by Avaya, Assertion’s SBC Security Solution scans your SBCs (Oracle, Audiocodes, and Avaya) and immediately identifies configuration flaws that leave you vulnerable to hackers. It also constantly scans your logs to identify suspicious patterns, alerting you, giving you the opportunity to act and prevent or mitigate attacks. Learn more at www.assertion.cloud/sbc.
