The reliability and trustworthiness of message content are fundamental assumptions for users of telephone systems today. VoIP uses technologies that traverse infrastructure used by many other users – in the case of the Internet, many millions of other users – this trustworthiness of content is in some cases subject to question.
Rogue IP Phone
A malicious user may connect an unauthorised IP phone to the network. A rogue phone poses threats such as identity fraud and can be utilised to start unauthorised services or launch attacks against other devices in the network.
Message Alteration
The process of interception, alteration and resending of messages within a trusted conversation is known as “man-in-the-middle” attack. Voice conversation via VoIP is fundamentally different to traditional telephone systems. While the traditional telephone network has voice data travelling along a dedicated network, in VoIP, voice data is transmitted as packets through shared computer networks – often including the Internet – where its path is shared with other types of traffic and is more widely accessible. Due to this fact, it is conceivable that without proper protection, attackers may be able to alter or scramble the content of messages such that they are non usable or recognisable. Message alteration can also include changing voice mail, fax and other messaging services via VoIP, as well as video reconstruction.
Unauthorised individuals may be able to assume another user’s identity through the rerouting of telephone calls. If an unauthorised person is able to gain access to the necessary users’ Internet connections, they can redirect their VoIP calls from any geographic location in the world to any other geographic location in the world.
False Caller-ID
Another potential threat to integrity may arise from users being able to change their caller ID to a fraudulent value (commonly referred to as caller ID spoofing). Similar to altering the message content, identity fraud can also include utilising false caller IDs to allow fraudsters to be proactive in engaging contact with a VoIP user while pretending to be someone else. Through using a caller ID phone number known to be associated with a given organisation, a fraudster can gain further credibility in their claim to be someone else.
Vishing (or VoIP phishing)
Vishing is similar to an email-based phishing. A victim will receive an email or be contacted with a phone call that directs him or her to a customer service number where they go through a number of voice prompted menus, in an attempt to steal account numbers, credit card numbers, PINs, and other critical information.