VoIP vulnerabilities
{{Specific|date=August 2023}}
VoIP vulnerabilities are weaknesses in the VoIP protocol or its implementations that expose users to privacy violations and other problems. VoIP is a group of technologies that enable voice calls online. VoIP contains similar vulnerabilities to those of other internet use.
Risks are not usually mentioned to potential customers.Securing VoIP Networks book by Peter Thermos, Ari Takanen, {{ISBN|978-0-321-43734-1}} VoIP provides no specific protections against fraud and illicit practices.{{Cite web |date=2020-12-03 |title=FTC Takes Action against Second VoIP Service Provider for Facilitating Illegal Telemarketing Robocalls |url=https://www.ftc.gov/news-events/news/press-releases/2020/12/ftc-takes-action-against-second-voip-service-provider-facilitating-illegal-telemarketing-robocalls?utm%20HYPERLINK%20%22https://www.ftc.gov/news-events/news/press-releases/2020/12/ftc-takes-action-against-second-voip-service-provider-facilitating-illegal-telemarketing-robocalls?utm_source=chatgpt.com%22_source=chatgpt.com |access-date=2025-04-22 |website=Federal Trade Commission |language=en}}
Vulnerabilities
=Eavesdropping=
Unencrypted connections are vulnerable to security breaches. Hackers/trackers can eavesdrop on conversations and extract valuable data through microphones.{{Cite news |last=Pegg |first=David |last2=Cutler |first2=Sam |date=2021-07-18 |title=What is Pegasus spyware and how does it hack phones? |url=https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones |access-date=2025-04-22 |work=The Guardian |language=en-GB |issn=0261-3077}}{{Cite web|url=https://www.itpro.com/108992/unencrypted-voip-poses-security-threat|title=Unencrypted VoIP poses security threat|author1=Stephen Pritchard|date=March 28, 2007|website=ITPro}}{{Cite web|url=https://www.asterisk.org/downloads/security-advisories/|title=Security Advisories ⋆ Asterisk|website=Asterisk}}
=Network attacks=
Attacks on the user network or internet provider can disrupt or destroy the connection.{{Cite news |date=2024-08-14 |title=DDoS attacks: What they are, how they cause damage online, and essential tips to stay safe from DDoS attacks |url=https://timesofindia.indiatimes.com/technology/tech-tips/url-ddos-attacks-what-they-are-how-they-cause-damage-online-and-essenti%20HYPERLINK%20%22https://timesofindia.indiatimes.com/technology/tech-tips/url-ddos-attacks-what-they-are-how-they-cause-damage-online-and-essential-tips-to-stay-safe-from-ddos-attacks-elon-musk/articleshow/112512402.cms%22al-tips-to-stay-safe-from-ddos-attacks-elon-musk/articleshow/112512402.cms |access-date=2025-04-22 |work=The Times of India |issn=0971-8257}} Since VoIP requires an internet connection, direct attacks on the internet connection, or provider, can be effective. Such attacks target office telephony. Mobile applications that do not rely on an internet connection to make calls{{Cite web|url=https://www.pindo.me/|title=Mobile VOIP alternative for business international calls|website=www.pindo.me}} are immune to such attacks.{{Why|date=August 2023}}
=Default security settings=
VoIP phones are smart devices that need to be configured. In some cases, Chinese manufacturers{{Citation needed|date=August 2023|reason=Source does not mention Chinese manufacturers. Cisco and snom are mentioned, which are American and German respectively.}} are using default passwords that lead to vulnerabilities.{{Cite web|url=https://securityintelligence.com/news/researchers-find-voip-phones-vulnerable-to-simple-cyberattacks/|title=Research: VoIP Phones Can Be Exploited If Not Set Up Properly}}
=VOIP over Wi-Fi=
While VoIP is relatively secure{{Citation needed|date=August 2023|reason=Citation in this same paragraph contradicts, stating "We know that VoIP is insecure".}}, it still needs a source of internet, which is often a Wi-Fi network, making VoIP subject to Wi-Fi vulnerabilities{{Cite web|url=https://www.crn.com/slide-shows/networking/205100204/top-9-voip-threats-and-vulnerabilities.htm|title=Top 9 VoIP Threats And Vulnerabilities|first=Andrew R.|last=Hickey|date=December 18, 2007|website=CRN}}{{Explain|reason=In the context of VoIP, what can make home/office connections more secure? Needs more technical explanation to contrast to "free wifi", why is that not secure with VoIP?|date=August 2023}}
=Packet loss=
Since VoIP runs over an internet connection, via wired, Wi-Fi or 4G, it is susceptible to packet loss which affects the ability to make and receive calls or makes the calls hard to hear. The susceptibility is due to the real time nature of the communication. Packet loss is the biggest reason for VoIP support calls.{{Cite web|url=https://telephonesystems.cloud/troubleshooting/voip-packet-loss-issue/|title=VoIP and Packet loss issues |website=/telephonesystems.cloud}}
=SIP ALG=
When VoIP was first setup, a setting called SIP ALG was added to routers to prevent VoIP Packets being modified. However, on more modern VoIP systems, the SIP ALG router setting causes routing issues with VoIP Packets causing calls to drop. Routers are usually shipped with SIP ALG turned on.{{Cite web|url=https://telephonesystems.cloud/troubleshooting/what-is-sip-alg/|title=What is SIP ALG and Why it Causes Problems|website=/telephonesystems.cloud}}
Exploits
=Spam=
VoIP is vulnerable to spam, known as SPIT (Spam over Internet Telephony) because it relies on the open internet, which is less regulated. Using the extensions provided by VoIP PBX capabilities, the spammer can harass their target from different numbers.{{Cite journal |last=Carrillo-Mondéjar |first=J. |last2=Martinez |first2=J. L. |last3=Suarez-Tangil |first3=G. |date=2022-08-01 |title=On how VoIP attacks foster the malicious call ecosystem |url=https://www.sciencedirect.com/science/article/pii/S0167404822001535 |journal=Computers & Security |volume=119 |pages=102758 |doi=10.1016/j.cose.2022.102758 |issn=0167-4048|doi-access=free }} The process can be automated and can fill the target's voice mail with notifications. The spammer can make calls often enough to block the target from getting important calls.{{Cite web |last=Press |first=Associated |date=2025-02-28 |title=How to stop getting a ton of unwanted phone calls |url=https://nypost.com/2025/02/28/tech/how-to-stop-getting-a-ton-of-unwanted-phone-calls/ |access-date=2025-04-22 |language=en-US}}
=Phishing=
VoIP users can change their Caller ID if they have admin rights on the VoIP server. Anyone who resells VoIP or manages their own VoIP server can allocate any phone number as an outgoing number. This is commonly used for genuinue reasons when a customer is porting a number, so they can use their number of a new plaform while the port takes place. But it can be used maliciously to mask any number. (a.k.a. Caller ID spoofing){{How|date=August 2023|title=How can VoIP users change their caller ID? Does this apply only to VoIP to VoIP calls or calls onto the PSTN too? In the case of the latter, is this possible only with a specific kind of trunk provider or possible universally?}}, allowing a caller to pose as a relative or colleague in order to extract information, money or benefits from the target.{{Cite web|url=https://uk.norton.com/voip-security-a-primer/article|title=The Vulnerabilities of VoIP}}{{Citation not found|date=August 2023}}
See also
- Comparison of VoIP software
- INVITE of Death
- List of VoIP companies
- Mobile communications over IP - Mobile VoIP
- Voice over WLAN - VoIP over a WiFi network