VoIP Security Warning: A Hundred Flaws in Three Leading Vendors’ Products?
By Al Sacco
Managing Editor, CIO
Just how secure is your voice over IP (VoIP) telephony system? If it’s from Avaya, Cisco or Nortel, you may be in for a surprise. According to new research, popular products from these leading vendors contain upwards of 100 flaws that could let nogoodniks access your corporate system and steal information, or even launch denial of service (DoS) attacks in attempts to extort money from your company’s coffers.
The research was released by VoIPshield Laboratories, a division of Web telephony security vendor VoIPshield Systems, and it certainly makes sense that such a vendor would want you to think you should run right out and upgrade your VoIP security. But concerns over VoIP security aren’t new. We’ve been writing about the issue at CIO for years, in fact. It seems to me that it’s only a matter of time before the potential gain from hacking such systems surpasses the time and effort it takes to crack VoIP security safeguards.
Lawrence Orans, a Gartner research director, agrees. He says in a VoIPshield release that a lack of high-profile hacks or security breaches has largely lulled CIOs and CSO into a false sense of security.
A March survey of 299 IT professionals by market research firm In-Stat seems back this assertion. In-Stat found that though more than 80 percent of companies have deployed some type of VoIP system across their organizations, more than half of them have no plans to secure those systems.
The vulnerabilities uncovered in the Avaya, Cisco and Nortel VoIP systems are listed on VoIPshield’s website and are organized based on the most likely ways that the flaws could be exploited. For example some security flaws could be used to gain unauthorized access, execute malicious code, launch a DoS attack or steal sensitive data, according to the company.
The flaws were also given a severity ranking based on a “modified industry standard index,” VoIPshield says. The vendor with the most vulnerabilities highlighted by the research was Cisco. Many of the vulnerabilities listed for the products examined, which include the Avaya Communications Manager 3.1.x and 4.x, Cisco Unified Communications Manager 5.x and Nortel Communications Server 1000 4.50.x, were ranked as “high” or “critical” severity.
VoIPshield says it listed the vulnerabilities as part of its “Responsible Disclosure Policy” to help the companies patch the holes in their wares, and the fact that they’re publically available certainly puts pressure on the manufacturers to promptly address the issues. VoIPshield says that it chose to investigate Avaya, Cisco and Nortel products because they’re commonly used in North America, but that it plans to probe other products from other VoIP vendors, such as Microsoft, in the future.
According to VoIPshield, it has notified Cisco, Avaya and Nortel with disclosure letters, and in some cases the problems have been addressed. It also uses the vulnerabilities to strengthen its own products.
How concerned are you with VoIP security? Do the VoIPshield findings surprise you or make you any more concerned than in the past?
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.