At risk: Are your telephones the weakest link in your security strategy?

Online burglars are just as devious as those in the flesh, if not more. They both have a goal and an understanding of how to reach it, irrespective of how much ingenuity and effort is required.

Cybercriminals are skilled and determined; if they know that there’s valuable data to steal, they will use the most calculating and deceitful methods to get it.

Organisations can spend millions of dollars protecting their networks with the most trusted security software and systems. While this often leads to success in defeating most determined ‘head-on’ attacks, they also force hackers to take a different route. Remember, cybercriminals are determined and won’t be stopped after one barrier. Instead, they are forced to be more creative in the way that they probe their targets and find weaknesses to exploit.

This approach has contributed to the unprecedented rise in cybercrime, the cost of which is on track to reach US$6 trillion globally by 2021, up from US$3 trillion in 2015. And as businesses wise up to more traditional methods such as brute force attacks, malware and social engineering, criminals are diversifying their tactics.

The next battle in the ongoing war for security will be focused on devices which, thanks to the Internet of Things (IoT), are proliferating at an astonishing rate. But there’s one device that sits on almost every desk – one that we rarely think of as a security threat: the humble telephone.

We tend not to think of telephony as a realistic attack vector for hackers, and that’s largely because we forget that they aren’t the analogue devices of our youth. An IP-based phone is a sophisticated computing device in its own right. It has software and network connectivity that can provide an easy way in for hackers who are searching for the perfect vulnerability.

This alarming method of cyberattack was evident just last year. Research by F5 Networks gave insight to the string of cyberattacks that hit organisations in Singapore in June. Its analysts found that almost 90 per cent of the malicious traffic (largely originating in Russia) was specifically targeted at VoIP phones – coinciding with the Trump-Kim summit. By hacking into these phones – the type typically found in hotels where high-profile delegates might be staying – the hackers would be able to eavesdrop on some of the most sensitive conversations imaginable.

The average businesses deploying VoIP phones might shrug their shoulders and wonder why the Cold War tactics of state-sponsored hackers should concern them. The answer is that hackers cut their teeth by targeting the most high-value people and organisations. Once a technology or technique has been proven against ‘valuable’ victims – such as diplomats or financial services firms – hackers can either roll it out to other businesses or sell the knowledge and tools they have developed on the Dark Web. So, while telephony isn’t yet a major attack vector for today’s cybercriminals, it would be foolish to imagine that VoIP telephony doesn’t represent a vulnerability that will be targeted and exploited at some point in the near future.

Any business that conducts sensitive conversations over the phone needs to protect inbound and outbound calls from hackers who are waiting to steal anything of value – from trade secrets to customer card numbers. The solution is surprisingly simple, and focuses on removing the key vulnerability that hackers exploit – the connection between a wireless headset and its base station.

These last few inches are easy to neglect, which is why they provide such a tempting target for cybercriminals. If hackers can access this connection, they can listen to every piece of sensitive information relayed over the phone.

That’s why organisations that are serious about security should choose telephony hardware that features secure encryption, authentication and secure pairing between device / headset and the base unit. This means that a non-paired unit (such as one deployed by a hacker within a few dozen feet of the office) can’t access the VoIP link to eavesdrop on the conversation.

Pairing between base station and device is nothing new, but the latest standard is ‘physical assisted pairing’. This occurs when the headset is docked in the base unit, when a secret link-key is created to connect them. Similarly, while authentication has been around for some time, security standards can vary enormously; which is why security-conscious organisations should look for headset / base unit solution. authentication based on the most secure 128-bit level technology, rather than the old standard of 64-bit.

Of course, security is only as good as the standard of encryption itself. Many of these DECT headsets feature some form of authentication and encryption, but often of a very limited standard. Basic encryption may put off the casual attacker, but to be fully secure an organisation needs the highest standard – ideally, military-grade technology such as AES 256-bit encryption, which gives a line of defence that goes beyond that of DECT Security Level C.

Unlike so many security technologies, secure telephony isn’t difficult to find or to deploy. It also requires little or no ongoing management – all it needs is an awareness of the threat and a willingness to upgrade to a secure solution when upgrading your telephony infrastructure.

Granted, secure telephony won’t stop hackers testing other parts of your cyber defences. It will, however, close an open door that’s an invitation to the growing army of clever and determined hackers around the world.