Sponsored By

Voice of Warning: Button Up Your Communications SecurityVoice of Warning: Button Up Your Communications Security

From urban schools to national power grids, organizations of all types need to take stock of how hackers can use or abuse voice and real-time communications systems.

Beth Schultz

April 19, 2016

4 Min Read
No Jitter logo in a gray background | No Jitter

From urban schools to national power grids, organizations of all types need to take stock of how hackers can use or abuse voice and real-time communications systems.

A news story out of Boston last week caught our attention here at No Jitter and Enterprise Connect as a real-life example of one of the various ways criminal hackers can use phone systems to perpetrate their malicious attacks. As reported by Boston.com, several high schools in the area received bomb threats on Monday morning, with some of those arriving via automated phone call, which is not the first time something like this has happened.

We heard about such potential exploits during the Security Summit at last month's Enterprise Connect conference, where Weston Hecker, a network/security engineer and hacker with High Point Networks, described some of the various ways enterprise voice threats are evolving. Regular No Jitter blogger Andrew Prokop, a SIP expert with Arrow SI, has picked up on the theme in his recent two-part blog series on hacking as a service (HaaS), and in fact described just this sort of scenario in his first piece:

As daunting as these types of attacks are, they almost seem child's play compared to some of the cyberattack scenarios I heard about last week during an Oracle Industry Connect (OIC) keynote by Richard Clarke, cybersecurity expert and the nation's first-ever counterterrorism czar. Lots of Clarke's examples didn't relate to the voice infrastructure, but the late December 2015 cyberattack on a Ukraine power grid sure did.

In this incident, hackers finessed their way into the power grid's operation center and "threw the breakers" on one subnet after the next, Clarke said. A hapless system administrator could do nothing but watch as his mouse, now out of his control, pointed and clicked its way to a power shutdown that affected some 225,000 customers, he continued.

Then, "just because they could" -- and here's where the phone system comes into play -- the attackers launched a denial-of-service (DoS) attack against the VoIP system and brought that down, too. And with that, the power company couldn't coordinate its response by phone, either.

I'm sure that many enterprises, especially those in sensitive businesses like financial services and healthcare, are taking this stuff pretty seriously. I heard one example while speaking about real-time communications use cases with Iago Soto, CMO and co-founder of Quobis, a Spain-based WebRTC solutions provider that primarily serves Western Europe and South America. One of Quobis's bank customers wanted to use click-to-video call functionality as part of a campaign aimed at making it super quick and easy for potential customers to sign up for accounts. But, of course, the IT security team had something to say about that.

The big fear, Soto said, was that the click button would become the target of a DoS attack and disrupt the bank's ability to provide service. To address the concern, Quobis incorporated a few security rules into its WebRTC software implementation. Should clicks on the video call button originate more than three times in one minute from the same IP address, for example, the software disallows the connection.

But to hear Clarke tell it, neither the private nor public sectors are doing nearly enough -- especially given the holey legacy infrastructure put in place when such attacks weren't possible, but which is not going away any time soon. And then there's the infinite volume of connected devices coming online with the Internet of Things. "Think of the security problem that comes with that," he said.

Whether companies realize it or not, hackers have already penetrated so many networks and are but biding their time. "The task now isn't to keep them out. The task is to limit what they can do," Clarke said.

He gave a few quick suggestions on how enterprises could do more. First, encrypt end to end (note to Congress: No backdoors allowed). Second, hire a managed security services provider rather than going it alone; and third, "put more stuff in the cloud," where security and management at scale are easier.

Follow Beth Schultz and No Jitter on Twitter and Google+!
@nojitter
@Beth_Schultz
Beth Schultz on Google+



About the Author

Beth Schultz

Beth Schultz

In her role at Metrigy, Beth Schultz manages research operations, conducts primary research and analysis to provide metrics-based guidance for IT, customer experience, and business decision makers. Additionally, Beth manages the firm’s multimedia thought leadership content.

With more than 30 years in the IT media and events business, Beth is a well-known industry influencer, speaker, and creator of compelling content. She brings to Metrigy a wealth of industry knowledge from her more than three decades of coverage of the rapidly changing areas of digital transformation and the digital workplace.

Most recently, Beth was with Informa Tech, where for seven years she served as program co-chair for Enterprise Connect, the leading independent conference and exhibition for the unified communications and customer experience industries, and editor in chief of the companion No Jitter media site. While with Informa Tech, Beth also oversaw the development and launch of WorkSpace Connect, a multidisciplinary media site providing thought leadership for IT, HR, and facilities/real estate managers responsible for creating collaborative, connected workplaces.

Over the years, Beth has worked at a number of other technology news organizations, including All Analytics, Network World, CommunicationsWeek, and Telephony Magazine. In these positions, she has earned more than a dozen national and regional editorial excellence awards from American Business Media, American Society of Business Press Editors, Folio.net, and others.

Beth has a bachelor’s degree in journalism from the University of Illinois, Urbana-Champaign, and lives in Chicago.

See more from Beth Schultz

Editor's Spotlight

How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
Ccaas
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations

Dec 16, 2024

How Talkdesk Delivers for Vertical Industries
Ccaas
How Talkdesk Delivers for Vertical Industries
How Talkdesk Delivers for Vertical Industries

Dec 5, 2024

How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
Ccaas
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity

Dec 17, 2024

Subscribe to Our Weekly Newsletters
Stay informed and sign up for weekly No Jitter and WorkSpace Connect newsletters
Sign Me Up
Mar 17 - Mar 20, 2025
As the #1 communications, collaboration and CX Conference and Expo in North America, we empower IT professionals to confront and overcome today's most pressing challenges. Attend Enterprise Connect and join thousands of like-minded peers building a framework for future success. You’ll walk away with rich learning experiences, invaluable connections, business opportunities, and inspiring insights. Register with Promo Code CONNECT25 to save $200 on Conference passes.
Learn More