Startup finds flaws in popular VoIP products
The Voice over Internet Protocol (VoIP) products of Avaya, Cisco and
Nortel are filled with more than 100 vulnerabilities, according to a
report from VoIPshield Laboratories, the research arm of security
startup VoIPshield Systems.
The flaws could be exploited by a hacker to extort users via
denial-of-service threats, industrial espionage through call recording,
or identity theft by stealing sensitive customer information, according
VoIPshield said it notified the vendors of its findings earlier this
year. Under the terms of the company"s disclosure policy, VoIPshield is
working with the three vendors to help recreate the vulnerabilities in
their own test labs. It is also offering its services to assist the
trio to find fixes for the bugs.
"The message is: enterprises need to take VoIP security seriously,"
Rick Dalmazzi, president and chief executive officer of VoIPshield,
told SCMagazineUS.com. "For all the money and attention given to data
security, people are putting in VoIP systems and not securing them
anywhere near what they"re doing with their data systems.
"We want to see VoIP networks treated the same way as data networks,"
he added. "VoIP networks are vulnerable to the same kinds of exploits,
only those specific to voice."
The vulnerabilities in the three companies" products could allow an
attacker to take over a VoIP phone system, use the phone system to
distribute a worm or virus, or jump to a data network and steal
sensitive information, Dalmazzi said.
VoIPshield lists the vulnerabilities on its website.
According to VoIPshield, it has categorized each vulnerability based on
an exploit"s most likely malicious intent: unauthorized access, code
execution, denial of service or information harvesting.
The company has also given each vulnerability a severity rating based
on a modified industry standard index. Vendor responses are also
included, indicating what action, if any, the vendor has indicated it
plans to take to remediate the vulnerability, and when.
Dalmazzi said that VoIPshield has a strong working relationship with
front-line technical professionals at the three vendors, and high-level
support from Cisco.
Cisco, in fact, has "sent out a communication acknowledging all of the
vulnerabilities and told us in most cases what they plan to do about
them, and when," Dalmazzi said. "They"ve been very professional about
Executives at the remaining two companies, however, have taken a slightly different tack, he said.
Those at Nortel and Avaya have been "less than complimentary about what we"re doing," he said.
An Avaya spokeswoman told SCMagazineUS.com that communications between the two companies hasn"t been ideal.
"While they provided some information initially that allowed us to
replicate some of the vulnerabilities in question, it wasn"t until just
this week that they contacted us with outstanding information that
would enable us to complete full replication -- despite repeated
requests from us," the spokeswoman said. "In any case, the
vulnerabilities are of moderate to low impact, and may be avoided
entirely in some cases with proper configuration on the user side.The
most high-impact issue was with an earlier version of a product that
had been fixed in subsequent versions.”
A Nortel representative said the company plans to address the flaws but questioned VoIPshield"s motives.
“While the issues raised by VoIPshield are not critical security
threats, we take all such issues very seriously and will work to
resolve them as soon as possible,” a Nortel spokesman told
SCMagazineUS.com. “VoIPshield"s focus seems to be much more about
self-promotion than safeguarding network security. This is
counterproductive to the industry.”
Cisco did not respond to SCMagazineUS.com"s request for comment.