It is shocking and outrageous that there are more than 100 security holes in VoIP products from Cisco, Avaya and Nortel.
The flaws were discovered by VoIP security solutions vendor VoIPshield, which revealed the vulnerabilities to the public today.
An interesting example of an identified Cisco VoIP vulnerability revealed today, is shown below:
In the above example, a potential attacker exploiting the Cisco Unified Communication Manager (UCM) vulnerability related to its Disaster Recovery Network, could obtain full access to the UCM by getting the remote shell on the attacker's machine.
Subsequently the attacker could either disable UCM completely, download all the information from UCM to the attacker's machine or upload an executable file to the UCM.
Then the attacker could force all the Cisco softphones connected to this UCM to reboot and download that executable file.
It could be a bot, Trojan or worm.
Once the executable is downloaded and executed an attacker is able to have full access to the user’s laptop running the softphone.
This scenario could be repeated when, for example, the user of the laptop connects to another UCM.
VoIPshield has been working with major VoIP vendors since last December.
Following the terms of their Responsible Disclosure Policy, VoIPshield provided all of the VoIP vendors with detailed vulnerability descriptions and enough time to reproduce and respond to them.
Different vendors responded in different ways – some of them accused VoIPshield of grandstanding, self-promotion and skirting the boundaries of ethical disclosure.
But others, specifically Cisco Systems, responded in a professional manner and acknowledged the issues and is working with VoIPshield to resolve them.
|"Personally I was surprised that Cisco Systems, known for not being very forthcoming when their products are singled out because of security issues, was very professional and willing to work with us to solve these issues," said Bogdan Materna - Founder & CTO of VoIPshield.
"It was nice to see."
There are over 1.2 billion landline and over 2 billion wireless phones (there are less than 1 billion PCs).
They are all converging on common VoIP network infrastructure and becoming part of the Internet.
But as we have seen in the early days of the Internet, security problems are being downplayed or outright ignored.
Vendors are rushing to market with new applications and devices without proper security.
Users are, in most cases, not aware that their new voice infrastructure brings serious security problems and exposures.
There are simple ways of quickly assessing the security of VoIP networks, for example, by using VoIP Vulnerability Assessment tools such as VoIPauditLite, which VoIPshield makes available as a free download.
And if you want to protect your VoIP infrastructure from these attacks, you may wish to think about deploying a VoIP Intrusion Prevention System (VIPS) such as VoIPguard.
View VoIP Security Resources:
|Identified VoIP Vulnerability Database|
|VoIP Security Industry Resources|
|VoIP Security White Papers|
|Learn About VoIP Security|
View dramatization of hacking into a financial institution's VoIP telephony system and see just how vulnerable enterprise VoIP systems really are:
If YOU were a sales executive with a Cisco reseller, would YOU get FIRED for bringing up VoIP security with a potential VoIP enterprise customer?
|Cisco Mobility VP admits that he does not really know what the term Fixed Mobile Convergence means|
|Cisco: Video traffic to balloon 20 times in 3 years|
|Tackling the inadequate Nortel R&D model|
|Cisco has 50 executives scouring the globe for technology acquisitions|
|Q & A with the ex-Cisco stars who launched the hot enterprise mobility start-up, Agito Networks|
|Brad Reese on Cisco Story Archives|
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him at 717-707-0704.