Best Practices for Securing Your VoIP Phone System

The internet in 2018 can feel a lot like the wild west, with bandits waiting around every corner, just waiting to rob your stagecoach. And while we have gotten a lot better at protecting our valuables, there are still a few things to be aware of – including the safety of your phone system and IP phones.

IP phones are essentially computers that are connected to the internet. If someone gains access to your phone, they can make calls on your behalf (and on your dime), which can become very costly. The most common scam is when hackers take over phones and make calls to “over charged” numbers in foreign countries – numbers that were previously known as 900-numbers in the US. When calling these numbers, the scammer typically gets a cut of the profit for the call, and in that way makes money by exploiting phones.

Here are best practices to help keep your VoIP phone system secure.


Change The Default Password

IP phones typically have a web interface that’s used to configure the phone and in some cases even make calls. When the phone is shipped from the factory, a default password is set, so the user can log in and configure the phone the first time. Unfortunately, far too many people leave this default password unchanged, which makes it very easy for people with shady motives to gain access. For that reason, the first thing you should always do before you start configuring your new IP phone – is to change the phone’s default administrator password.


Use a Router With a Firewall

From time to time, we hear about people who connect their phones directly to the internet without using a router or firewall. This means that anyone with an internet connection can access the phone’s web interface, and if the phone’s administrator password is still the factory default – well, that’s just making it too easy for the fraudster.

Make sure the router is not set to “bridge mode”, which is a feature that basically disables all routing features and assigns a public IP address to all devices on the network. A quick way to see if your network is in bridge mode or not, is to look at the phone’s IP addresses. If the IPs start with 192.168.x.x or 10.10.x.x, then they are in a closed network, and you are reasonably safe . If your phone’s IP address looks different, you should check that it’s connected to a router, and that the router is not in Bridge Mode.

If your router has a firewall, you should always enable that feature. Firewalls look at the actual traffic that goes in and out of the network, and tries to block anything that looks suspicious.


Prevent Ghost Calls

When fraudsters look for phones to exploit, they do something called “port scanning”. This is a method where they send out specific data requests to millions of different IP addresses on the internet very fast, and then listen for anything that responds. For example, they typically send out the same data request as a VoIP server would do when there’s an incoming call for an IP phone – the request that makes the phone start ringing. When the phone receives this request, it will respond back to the sender to acknowledge that it was received, and that the phone has started ringing. When the fraudster receives the confirmation, he now knows that there’s an IP phone located on this IP address, and he can start trying to hack it. If the phone at the same time is not behind a router/firewall, and the default password hasn’t been changed – well, again – that’s just making it too easy.

However, if the phone is protected, then there’s very little chance that the fraudster can gain access to exploit the phone. But, he can still send these port scan requests to make the phone ring, which can be really annoying for the person on the other end. It would seem that there’s an incoming call, but when you answer the phone there’s no one there. That’s what’s known as a ghost call.

Luckily, there’s an easy way to prevent these ghost calls. Most IP phones have a setting that tells the phone to only accept incoming calls from the server they are connected to. You can learn how to configure your phone to prevent ghost calls here.


Use Two Factor Authentication

It’s not just your phones that can become victims of unwanted access. Your actual phone system’s online portal is also at risk, but luckily you are paying someone else to make sure that part doesn’t get hacked. The only thing here to be aware of is to always use a strong password.

To strengthen your account’s security further, you can enable Two Factor Authentication (2FA), which is a technology that requires a unique key each time you log in. This key is generated by a hardware device or an app on your cell phone, and changes every 30 seconds. So without having both your password and your cell phone, no one will be able to access your account.

You can learn more about enabling two factor authentication here.

Thomas is part of the marketing team at Telzio and develops thought leadership content in the areas of cloud computing and unified communications. With an education in electrical engineering and background in software development, Thomas has a strong technical understanding pertaining to cloud networking technologies, trends, and practices.