Security in VoIP communication

Snom's understanding of security


Snom is a security-conscious VoIP manufacturer and permanently focused on ensuring the highest level of security for all our offered devices and solutions. This is also reflected in the fact that Snom has been a member of the German Federal Association "TeleTrusT IT Security" since June 2016.

Thanks to the restructuring of our firmware update development procedures, we are able to release at least 4 updates per year. This enables us not only to expand our functionality, but also to proactively address any potential security vulnerabilities in advance.


Our security concept includes:

  • After you have assigned a user to a new phone, it automatically switches to "HTTPS Only" mode so that all further communication is SSL secured.
  • We generally work with the latest TLS version.
  • We support 802.1x authentication.
  • We offer an OpenVPN client.
  • We support all common secure protocols, such as SIPS, SRTP, and many more.
  • We use the Mozilla "Trusted CA" collection and update the list with every firmware update.
  • Besides the possibility to use the Snom certified CA and the corresponding key on each phone, you can also easily import your own certificates.
  • A special highlight is the possibility to authenticate not only the telephone on the server, but also the server on the telephone.

Security in the era of VoIP

 

When thieves want to break into a house, they usually carry out their own risk assessment beforehand:

Is anyone home?

How difficult will it be to open closed doors or windows?

Is there an alarm system and if so, how easily can it be switched off?

 

If the expected value of the items they want to steal from the house outweighs the risks of breaking in, then they will make their decision. When hacking a business telephone system, the principles are similar, but the scale is different.


With the global VoIP market forecast to be worth $93.2 billion by 2024, hacking and exploiting phone systems (known on the scene as "cracking") is fast becoming a lucrative endeavour for suitably skilled cybercriminals. With the value of these ill-gotten gains increasing exponentially each year, it is imperative for everyone in the industry, including network operators, service providers, system integrators, IT administrators/users and, of course, the hardware and software vendors and manufacturers themselves, to prioritise and improve network security.

Not only the increase in the global market share of IP telephony offers an attractive target for hackers, but also the change in business behaviour.

And with the shift to remote working happening faster than originally predicted, the proliferation of BYOD (the practice of bringing your own device and using it in the company) and companies increasingly moving to all-IP solutions, the market is not only growing, it is changing rapidly. And where there is change, there is also uncertainty and unpredictable developments that provide fertile ground for those criminally inclined to exploit any opportunity that presents itself.

 

But how do they do it?
What are the most common methods used by criminally inclined and technically skilled hackers (crackers)?
What happens during a break-in?

 

To gain access to a telephony system, crackers need the password of the device they are targeting. To get this password and successfully compromise an IP PBX system, the hackers identify an IP extension on the network and then bombard this device with different passwords in the hope that one of them is correct. This sounds pretty futile, but many users do not change their default passwords. Also, hackers can send thousands of passwords to an extension in a matter of minutes. In many cases, it doesn't take long for the hackers to guess the right password and log into the IP-PBX system. Or they find vulnerabilities in a system so that they can bypass or overwrite the password requirements, or they use phishing methods, e.g. by posing as an IT administrator, to obtain passwords.

Unfortunately, the number of threats to networks is increasing, and a cursory search reveals an ominous list of malicious attacks such as

  • "Brute Force",
  • "Man in the Middle",
  • DDoS” (Distributed Denial of Service) and
  • "Spoofing",

all of which pose a serious threat to unsecured communication.

Once a cracker has access to the system, there are many ways to bring down the IP telephone network and potentially deprive the company of large sums of money. One of the most common, and indeed most damaging, attacks involves professional criminals connecting an entire call centre to the compromised network port and rerouting thousands of calls through that one port in a short period of time. Depending on how the IP PBX routes its calls and how regularly the company receives its bills, this activity can go on for months before it is discovered, driving up the phone bill astronomically.

While this is the primary approach for crackers and fraudsters to exploit a poorly protected system, weak passwords and a lack of encryption in an IP PBX infrastructure can also open the door to other types of malicious activity. For example, the computerised structure of IP telephony makes it much easier than landline phones to surreptitiously record internal conversations. Instead of having to install a physical device, calls can simply be recorded with the right software. Often this type of threat comes from an employee within the company, making it difficult to protect against. If a company is using an unencrypted VoIP protocol, there is no barrier to prevent calls from being recorded. Even if the threat does not come from an employee or from outside groups with an interest in recording a company's phone calls, a Trojan could be used to install the recording tool. It gets even worse if the phone is used to penetrate the company network - the entire server structure, like a burglar entering a house via the basement.

 

 

 

Read an interview with our VoIP specialist "Luca Livraga" on the topic of VoIP security.

So what is Snom doing to ensure the security of the phones?

We have hosted our servers in Frankfurt, where the data protection regulations are particularly strictly adhered to. We run the Secure Redirection and Provisioning Service (SRAPS) which acts as an additional security measure, we also support SRTP (audio encryption, of course TLS server authentication and last but not least password protection for each of our end devices.

In addition, with our unique Automatic Test Framework (ATF), we continuously test our phones in real PBX environments around the clock to eliminate security issues before they arise. This ensures that Snom's highest security standards are met at all times.

In addition to the non-stop ATF security and software check, we offer users a comprehensive overview of implementing security and data protection measures on our Service Hub (service.snom.com). Topics covered include port authentication via 802.1x, Dynamic Blacklist Check, DECT Encryption, TLS support and embedding Snom devices in a VPN.

Other topics include automatically provisioning VPN on a desk phone, preventing unauthorised or unqualified access to the phone interface and much more to provide users and administrators with a comprehensive step-by-step guide to ensure the security of Snom phones in any telephony environment.

Ultimately, Snom as a manufacturer and supplier can make customers of its products and software aware of the need for an effective password policy via pop-up alerts and reminders. Snom can also work with customers who implement network encryption, but it is ultimately the responsibility of the customer themselves to ensure that these measures are implemented.

Who else has to take responsibility?


Think of it as follows: 

  • We provide a reliable lock for your back door, front door, basement hatch and for all rooms in your house.
  • We also supply the keys to these locks, but it is still the owner's responsibility to ensure that the doors are actually locked.

The security chain in telecommunications consists of several, equally crucial links. One of these vital links is, of course, the IT administrator in a company. It is an inescapable fact that the IT administrator must take some responsibility for the security of the corporate network, e.g. by using a professional firewall and other network security measures, or even by implementing an effective password policy and informing staff and colleagues about these requirements. In certain circumstances, prioritising seamless communication over security can happen. This is similar to leaving your house keys under a flowerpot near the front door so that someone else can get into your house.

These risks must be carefully weighed. After all, safety is one of those things that is only noticed when something goes wrong.

A thankless task for those who have to ensure that the security systems are maintained. How often do office staff thank building management for a burglary-free year? It is easy to forget how important security is when it is working well. Continuous security requires vigilance and awareness of several important links in the chain that locks the door.

How much?! Network security means financial security


How much does a cracked phone system cost?
Well, in 2016 the cost (worldwide) was put at $38 billion, of which $3.53 billion was via IP-PBX.
This number is growing exponentially year after year.
Imagine the following:
A small company with, say, 25 employees suddenly gets billed a six-figure sum for calls in just one week. On closer inspection, it turns out that these are calls to chargeable numbers in countries where the money quickly disappears into a dark, untraceable money circuit.

  • In the worst case, these costs can immediately bankrupt a company..
  • The best case scenario? A rude awakening with the realisation of the importance of network security..

Regular training of company staff in IT security should be an ongoing process, not a one-off. Sales teams, customer support, switchboards - all these critical functions are potential weak links in the security chain. Recently, a whole range of security challenges have emerged as more and more employees work on the road or from home and use their own devices on the corporate network (BYOD).
The threat to businesses has multiplied immeasurably in just a few months. Neglecting these vulnerabilities in the security chain would be extremely dangerous.

A look into the future …

Imagine we are in 2025, there are a ton of big changes in technology and behaviour. People all over the world have a variety of customised communication solutions to meet all their personal and business needs. However, to get to this point, many companies, across all industries and sizes, have been lost. Their legacy is a lesson, in security: take responsibility, conduct ongoing reviews, leave no stone unturned and illuminate every shadow.
This highly simplified statement does not help those who are responsible for the security of their business today, but perhaps it helps to understand that we at Snom and our partners are working at the highest level of development and innovation. As the fundamental basis of IP telephony and in recognition of our responsibilities, security is an area to which we devote a large part of our resources.
High profile and/or costly cracking cases, the proliferation of "SPIT" (Spam over Internet Telephony) and other unwanted calls will continue to make headlines, but as the old saying goes, "danger recognized, danger averted". Only the unity of manufacturers, interop partners, integrators, resellers and end users can help increase security awareness and best practices. Snom has played its part in this team effort in the past, is doing so now and will continue to do so.

Contact person

Headquarter Berlin

+49 30 - 39833-0
Office hours: Mo-Fr 9:00-17:00 (CET)

 

Tony Lukaschewitz

language Key Account Manager DACH

phone +49 30 39833 0

mail_outline tony.lukaschewitz@snom.com

Locations

Snom Technology GmbH
Wittestr. 30 G
13509 Berlin

Telefon: +49 30 39833-0
Fax: +49 30 39833-111

office@snom.com
www.snom.com

Contact

Search for help

Are you looking for help with a problem, a manual, an answer to your question or the latest firmware for your Snom device?

We have set up the Snom Service Hub to provide you with everything you need.

 

 

Snom D865

Thank you for visiting the Snom website

Please choose the regional Snom website you would like to visit.


For the United States, Canada, Central and South America:

Snomamericas.com


For the Rest of the World:

snom.com