Voice

All traffic to and from babblevoice is carried via SIP and its companion RTP. We don’t encrypt any of the data between any end point. SIP communications are secured via usernames and password. A phone never sends a username or password in a call. An MD5 hash of the username and password along with a random string is sent by the phone, so anyone who tries to hijack this information will not be able to use it.

As part of creating the username and password in the babblevoice console, we auto generate a strong password to be used in phones. This strength is considered strong, so that a brute force attacker would not reasonably be able to guess it. It is the end users responsibility if they choose a weaker password to use.

Fraudulent Calling

One of the biggest concerns of a lot of our users is their account being hacked and funds being consumed for fraudulent reasons.

A big problem is users calling foreign premium rate numbers. An example, rogue employee registers a premium rate number in Lithuania. He will earn 50p per minute when anyone calls it. He gets employed by you. Every evening, before he goes home, he picks a random phone in the building makes a call to it and leaves the phone lightly off hook.

The same problem also has been implemented using computer viruses. An infected computer looks for VOIP phones on its network, when it finds one it attempts to use the default user name and password to then make a call from it to the premium rate numbers.

At babblevoice, we have been very lucky to not be affected by this too much. Although, luck is not entirely at work. We have a number of things in place, which together, protect us and you as much as possible.

Phone call monitoring

Calls placed through babblevoice are monitored. We attempt to look for fraudulent activity. This is not perfect, but we have caught some traffic like this.

Phone security

When babblevoice auto provisions phones, by default it locks down lots of things to ensure they are more secure. We auto generate strong passwords. If you decide to setup phones yourself, ensure you follow good practices that are secure - it matters.

Only use phones which we have accredited. This means we have also taken the time to consider some settings which involve security.

We recommend that phones are on their own dedicated network (VLAN or physical), this secures the phones from computer networks - see provisioning.

Pre pay

babblevoice is pre pay. This is is by design. It naturally means your account is ring fenced to an affordable amount of money. The worst case scenario is the amount of money on your babblevoice account is wiped out. If you find money disappearing faster than you expected - look at your call records before topping up.

We have seen our competitors who do not use prepay serve surprise bills running into £1000s at the end of the month. The way we do it, we all get to find out immediately of a problem.

babblevoice Limits

Under Domain Setting, you can configure babblevoice for which external calls are allowed. Configure it for things like maximum call spend may annoy a couple of users, but it will prevent calls going through you didn’t anticipate.

babblevibes

Keep an eye on your account. We worked hard to bring you babblevibes - with the hope that it is useful driving your business targets. But it is also capable of showing statistics regarding call costs. You will see very quickly if there is an issue.

Provisioning

Provisioning makes it easy to simply plug in a phone and use it. With a Polycom phone all you need to do is enter a serial number of the phone into babblevoice, plug it in and use it. It has also it useful for security. When we configure a phone we do a lot more than you realise. Settings regarding security are tweaked to ensure it is as secure as it can be. If you play with the settings yourself you may reduce the security of the phone.

Most phones are provisioned via HTTPS, usernames and passwords are sent and secured via HTTPS and we configure our servers to use TLS to encrypt and not SSL to ensure confidence in security.

Cisco phones use HTTP to download provisioning information, however the configuration files are encrypted using AES 256 CBC which is considered a strong encryption method. We use a strong encryption key which only the phone knows.

Recorded calls

All calls which are recorded on the babblevoice system are stored in Amazon S3. Amazon have there own security policies on this product. When a user requests a download of a recorded file, babblevoice issues a URL to that file which is valid for 4 hours. These URLs are only issued via our API over HTTPS (see the notes above) so cannot be spied on.

Logging in

Since day one, babblevoice has use open ID to authenticate users who wish to login and configure babblevoice. This is because

  • We don’t have to store your passwords (we don’t want that responsibility!)
  • It is a secure standard
  • It means you have to remember/store less passwords
  • If your one password is breached then you only have one password to change
  • When Google or other providers implement more secure methods of authenticating (such as 2 step auth) it means we automatically support it

API

Source files and javascript we openly publish on our web servers. But all communications to get data (call records amongst other statistics) are authenticated using the secure standard OAuth and encrypted using HTTPS (and again, mentioned above, we configure our servers for TLS which is more secure than SSL).

More information about

Also, check out the babblevoice University on Youtube or ask a question in our Google Group.