VoIP Security: 12 Best Practices for VoIP Phone Systems

Alex Graves

IT Manager

VoIP Security: 12 Best Practices for VoIP Phone Systems

January 6, 2020

October 2, 2019

June 30, 2021

Here are 12 best practices to keep your VoIP security, your wallet, and your reputation protected from bad actors on the internet.

Secure user credentials with a strong password and two-factor authentication.
Perform regular call log reviews for unusual call activity.
Disable international calling / enable geo-fencing.
Outsource to a SaaS provider for VoIP calls.
Update firmware on VoIP phones.
Use a router with a firewall.
Limit physical access to networking equipment.
Restrict user access to parts of the phone system.
Ensure data encryption through your VoIP provider.
Educate users on VoIP security best practices.
Prevent ghost calls on IP phones.
Implement intrusion prevention systems.

1. Secure User Credentials with a Strong Password and Two-Factor Authentication

It goes without being said that It is essential to change the password on your VoIP phone or device. Like many network devices that can be configured from a web interface, VoIP phones come with a preset default password that needs to be changed right away. The default login is usually something like admin/admin, and should be changed the first time you log in to the phone.

While default credentials vary by manufacturer and model, they are easily found with a simple Google search and rarely utilize a strong password.

If your organization has a credential management policy, it is a good idea to apply these same standards to both deskphones and the web interface. A strong credential management policy includes expiration and complexity requirements, and is crucial to the effective management of security credentials. It’s good practice to periodically remind employees to update their passwords.

Two-factor authentication should be mandatory for all users on your VoIP phone system. Telzio offers 2FA for users, and enables you to verify on the web dashboard that all users have successfully enabled the feature.

2. Perform Regular Call Log Reviews

This security tip requires little or no technical knowledge of networks or VoIP systems in general. It is a best practice, however, to institute regular reviews of VoIP traffic in the call logs.

Telzio provides detailed call analytics with data including:

average call duration
average hold time
total number of incoming / outgoing calls
total calls / missed calls
total duration by user

By regular checking these call reports and comparing period over period, you can easily pick up when there are signifcant variants in activity. These pieces of information can point you to areas where there may be gaps or misuse.

Administrators will want to check for abnormal call durations, destinations, and the times that outgoing calls are being initiated. Any outliers in these logs should be investigated to ensure that your system has not been compromised.

Detailed call reporting is an important feature to look for when considering a new VoIP service and Telzio even offers real-time call monitoring. These logs will tell you a lot about your baseline usage and are not only useful in monitoring the health of your phone system, but are valuable in planning for future expansion.

3. Disable International Calling or Enable Geo-Fencing

Bad actors on the internet will often try to leverage VoIP systems to make international calls that will rack up the charges on your account - also known as toll fraud. Having your system or network compromised is bad enough, but accumulating usage on calls you did not make adds insult to injury.

If you must make international calls, it’s a good idea to enable geo-fencing. Geo-fencing is also used on network firewalls and email servers to prevent connections to countries where high numbers of potential hacks originate.

Telzio enables you to block unwanted calls to/from entire countries, area codes, and specific phone numbers. You can add countries to a blacklist to ban incoming and/or outgoing calls from that country right on the Telzio Dashboard.

Another similar precaution would be to use IP blacklists on your firewall to block connections, including VoIP traffic, to known malicious IP addresses. IP blacklists can be found on reputable public aggregator sites such as dnschecker.org.

4. Utilize SaaS for VoIP Calls

Software as a service has become an important part of everyday office operations as individuals and large organizations leverage the expertise of specialists to manage a complex piece of software or application. Rather than building and maintaining your own VoIP infrastructure, outsource your PBX and VoIP services to a SaaS provider like Telzio.

Telzio provides a robust feature set out-of-the-box, a user-friendly UI, and full support. What’s more, built-in security measures to protect you from fraudulent activity on your account and can be that extra set of eyes you need to prevent serious intrusions.

Explore more Telzio features.

5. Stay Up to Date on Security Patches

Just as all network security devices and computers need to be updated, so does your VoIP phone.

Along with changing the default credentials before implementing your VoIP system, it is a good idea to also update the firmware on your IP phones. Updating the firmware ensures that the most current security patches are installed, and that any vulnerability gaps are filled before your phone system goes live.

How to update the firmware on Grandstream phones and other guides.

Firmware updates should be checked regularly (quarterly is recommended), installed as soon as possible, and built into the wider update schedule for all of your networked devices as a part of the IT asset management policy.

6. Use a Router with a Firewall

From time to time, we hear about people who connect their IP phones directly to the internet without using a router or firewall. This means that anyone with an internet connection can access the phone’s web interface, and if the phone’s administrator password is still the factory default – well, that’s just making it too easy for the perpetrator.

Make sure the router is not set to bridge mode, which is a feature that basically disables all routing features and assigns a public IP address to all devices on the network. A quick way to see if your network is in bridge mode or not, is to look at the phone’s IP addresses. If the IPs start with 192.168.x.x or 10.10.x.x, then they are in a closed network, and you are reasonably safe . If your phone’s IP address looks different, you should check that it’s connected to a router, and that the router is not in Bridge Mode.

If your router has a firewall, you should always enable that feature. Firewalls look at the traffic that goes in and out of the network, and tries to block anything that looks suspicious.

7. Limit Physical Access to Networking Equipment

Networking equipment should be stored in a locked room or cabinet and only accessible to the IT team. Securing access to the physical hardware that protects your network is key to ensuring that all of your IT systems, including VoIP, remain uncompromised. Installation of security cameras and implementation of an access log that is audited on a regular basis are also recommended to secure your networking room.

8. Restrict User Permissions

Telzio provides a web interface to make configuration of the device easier and to give you access to additional features and many more customization options. The web interface also determines how it interacts with the VoIP system and therefore will need your user credentials. While the web interface can make setup a breeze, it is one more door into your VoIP system that needs to be secured.

As mentioned earlier, strong security credentials to access the web interface are a must, but Telzio also provides various levels of user permissions to restrict access to the system. Default access enables users to access only their own call logs and messages. Administrators can assign further permissions to users to manage various parts of the system such as call flows, billing, and other users. Be sure to practice diligence with granting user permissions, and ensuring that users with administrator privileges have 2FA enabled.

9. Ensure Data Encryption

It’s important to partner with a VoIP provider that encrypts the call processing data sent between the VoIP servers and your network. Telzio ensures end-to-end encryption across all calls and messages throughout the life of the data.

It’s also crucial that your network is encrypted to prevent the damage caused by bad actors sneaking around your systems. Even if someone is able to gain access to your system, encrypted VoIP connections ensure that the data is unusable to them.

10. Educate Users

Your VoIP users are just a part of the first line of defense against fraudulent activity on your system but can be one of the most effective. Proper education about security credentials and what to expect from normal quality of service on VoIP calls can help keep your system secure. Educated end users give you an extra set of eyes looking for abnormal activity that could indicate that your system has been compromised.

It is also important to implement policies on what should be disclosed during a phone call to avoid the unintended disclosure of personally identifiable information, business data, identity theft, or other personally intrusive criminal activity. Security training should also be thought of as an ongoing process. As new security issues and potential threats emerge, it is very important that your training changes to address new threats as well. Keep your users educated as they are the ones using the system on a daily basis.

11. Prevent Ghost Calls

Ghost calls are incoming calls with no one on the other end, and they are one way of hackers trying to infiltrate your phone system.

When hackers look for phones to exploit, they do something called port scanning. This is a method where they send out specific data requests to millions of different IP addresses on the internet very fast, and then listen for anything that responds. For example, they typically send out the same data request as a VoIP server would do when there’s an incoming call for an IP phone – the request that makes the phone start ringing. When the phone receives this request, it will respond back to the sender to acknowledge that it was received, and that the phone has started ringing. When the hacker receives the confirmation, he now knows that there’s an IP phone located on this IP address, and he can start trying to infiltrate it. If the phone at the same time is not behind a router/firewall, and the default password hasn’t been changed – well, again – that’s just making it too easy.

However, if the phone is protected, then there’s very little chance that the hacker can gain access to exploit the phone. But, he can still send these port scan requests to make the phone ring, which can be pretty annoying for people at work. This is when ghost calls occur.

Luckily, there’s an easy way to prevent these ghost calls. Most IP phones have a setting that tells the phone to only accept incoming calls from the server they are connected to.

Guide on How to Stop Ghost Calls

12. Implement Intrusion Prevention Systems

Intrusion prevention systems will keep an eye on the overall performance of your VoIP system and balance the load on your network to ensure that your quality of service remains high. These load balancing measures, along with other security features, will also detect abnormal activity that accompanies events such as a distributed denial of service attack (DDoS).

Intrusion prevention systems can be features on your firewall, in addition to the prevention measures built-in to the Telzio VoIP platform. It is important to have a conversation with your IT department to see what tools are available to you and keep them up to date with the most recent security patches.