How Safe is Your Phone System?

October 13, 2011 - 2 Comments

When considering security, make sure you’re protecting the data on your phones, too

In July 2011, the world saw just how vulnerable voicemail systems can be when a phone hacking scandal took down the News of the World newspaper and created a huge public backlash against News Corp. and its CEO Rupert Murdoch. Reporters were illegally intercepting voicemail messages left for the British Royal Family, celebrities, British soldiers, and others in their quest to scoop stories. Public figures’ voicemail messages aren’t likely to reveal product secrets, credit card numbers, or confidential business strategies, but your employees’ voicemails can. Voicemail systems can be configured insecurely and easily hacked—if you don’t take the right precautions.

Whether you have an analog or IP-based phone system, your company’s private voicemails are vulnerable. Most voicemail systems require only a simple four-digit personal identification number (PIN) to protect a user’s voicemail, and hackers have a few different methods for figuring out those numbers and gaining access to voice mailboxes, including caller-ID spoofing, and social engineering.

The good news is that deleted voicemail messages can’t be hacked. Therefore, the easiest and most effective step you can take in securing your voicemail system is encouraging your employees to delete sensitive messages as soon as they’ve listened to them.

Protect the Inbox

For messages that aren’t deleted, inbox security is the first—and last—line of defense. Make sure that your voicemail system or hosted voice provider requires users to enter a PIN to access their inboxes and supply a password if they need to call a service rep for help retrieving information about their voicemail accounts. Find out, too, if your provider can notify you if anyone tries and fails several times to access the same account. It’s even better if the account can be blocked until an authorized user resets his or her password.

Because a PIN is the only thing standing between your employees’ voice mailboxes and hackers, it’s critical that your small business enforces some strict rules about setting up and using PINs.

  • Change the default password. Every voicemail system includes a default password, often a number as easily guessed as 1234 or 0000. Make sure employees immediately change the default password to a random four-digit PIN, or longer if it’s supported by your phone system.
  • Use random numbers. Serial numbers (e.g., 1234) aren’t the only PINs that can be guessed easily. Instruct employees to use purely random numbers, avoiding birthdates, addresses, and even parts of their social security numbers or the phone number.
  • Use long passwords. With the right program, a hacker can crack a simple four-digit password in a matter of seconds. A 10-character password, however, could take up to five years to hack. Therefore, it’s best to use long words or even short phrases for voicemail passwords.
  • Change passwords regularly. Voicemail passwords should be changed just as frequently as network login and email passwords. Many experts recommend changing passwords every three to six months or as frequently as your company’s security policies dictate.
  • Check for interference. Often there’s no way to tell if a phone has been hacked until an employee realizes that his or her messages have been tampered with. If a message you know you saved has been deleted or forwarded to a new, unrecognized number, that’s an indication someone has interfered with your voicemail.

IP phone system security

IP phone systems have an additional layer of potential risk because they operate on your converged network, which are vulnerable to voice-over-IP (VoIP) as well as data traffic attacks. IP phone systems are susceptible to the same attacks as any other networked computer system, including viruses, worms, and Denial of Service (DoS) attacks, as well as those particularly dangerous to phone systems, such as toll fraud, phishing, and eavesdropping.

Your voice network should also be protected with firewalls and an intrusion prevention system (IPS) that are configured to monitor VoIP traffic. A secure phone system, such as the Cisco Smart Business Communication System, should include security devices like a secure router. If you use a hosted IP phone system, make sure you know what security measures your provider has in place to protect your data network from VoIP threats.

October is National Cyber Security Awareness Month, a good reminder that in this digital age, phone calls and voicemail messages are just data that can be copied, forwarded, deleted, or broadcast to the world via the Internet. Data on your IP phone system should be protected just as vigilantly as the data on your servers and computers.

What steps have you taken to secure your IP phone system and employees’ voice mailboxes?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Biggest hassle in it is to ensure discipline in the organisation about sensitivity on these critical aspects among employees. Well said on above but its necessary to be implemented by the team too.
    There should also be a system wherein default way should be to change passwords on a fortnite basis, else the same should be blocked by the administrative system. Probably it should address the issue

  2. Not sure, but most of the voice mails left border the harmless. this is so-and-so, call me back at xyz. Arent we overhyping this issue?