Unified Communications Creates Security Holes. Here's How To Plug Them.
UC Exposes Security Gaps That Your Regular Firewall Can’t Even Begin To Sew Up. But A Combination Of Smart Policies And The Right Hardware Can Make Sure Your Company Is Safe.
By Gilman Stevens, Director of SBC R&D and the VIPER Lab, Avaya and Gina Odean, National Director of Converged Solutions, NACR
(Note: This is an excerpt from Avaya’s recently-published e-book, The 2013 Guide To Collaboration Trends. Download the full 160-page PDF here.)
Your desk phone at work may seem no more dangerous than your coffee mug or stapler. But appearances can be deceiving. Unlike yesterday’s “dumbphone,” today’s VoIP-enabled phones combine the features of a computer and a network router in one.
The power and accessibility of these phones can be turned against them. Researchers at Avaya’s VIPER Lab and NACR have found that an unprotected IP phone gateway will be found and broken into by hackers located anywhere in the world within a week. Our research shows you can expect hackers to use your corporate network to rack up about $2,000 worth of fraudulent calls in just 8 hours–or half the time between the end of one workday and the start of the next one.
That’s not just theory; it’s reality. Enterprise customers hit by “toll fraud” tell VIPER Lab experts that they lost on average between $10,000 and $20,000 per month. One company lost $200,000 in a single month due to unauthorized international calls, usually to premium 1-900 numbers such as phone sex lines that charge hefty per-minute fees and from which the hackers directly or indirectly earn a cut.
Today’s unified communications (UC) networks mean that VoIP and SIP traffic runs over the same networks as your corporate data. That means that if you don’t take steps to secure your VoIP/SIP networks, you can make the latter vulnerable to malware and the hackers who create them. For example, using a VoIP phone in a company lobby or public area, a hacker with the right skills and knowledge of open- source tools can gain entrance into the corporate data network. Exploiting all-too-common weak passwords, the hacker can gain access to confidential company information and customer information in a matter of several hours.
Even More Threats
Again, all of this can be avoided if enterprises take common-sense steps to secure their VoIP/SIP networks (detailed below). But fail to do so and you expose other potential gaps. Just as hackers have extorted online retailers by threatening to disrupt their Web servers using mass denial of service (DoS) attacks, hackers can extort businesses by threatening to launch worker-crippling DoS attacks against UC networks. Or they can easily steal corporate information, either by eavesdropping on unencrypted VoIP conversations or by breaking into corporate servers as demonstrated by VIPER Lab researchers above.
The number of potentially unprotected pathways into your network is also growing, for two reasons:
1) the rise of telecommuting and home-based workers (and their often-insecure home Wi-Fi networks), and
2) the explosion in employees using tablets and smartphones at work, especially personally owned mobile devices.
To satisfy workers, companies are extending their VoIP and UC networks out to these endpoints. But in their rush, even healthcare and financial services organizations that operate under heavy security and privacy rules such as PCI DSS or HIPAA are often failing to create or enforce strong security policies protecting these remote outposts.
For example, a company may deploy a VoIP phone to a home office worker without forcing him or her to change the default “1234” access password. In that state, a hacker can easily take control of your phone, either to break into your main corporate network or use it for social engineering purposes. For example, the hacker could change your caller ID to “IT Support” and use it to start calling employees and asking for their login and password details.
Gaining Peace of Mind
There are steps you can take with your VoIP software to cut down on risks. For instance, make it standard policy to encrypt all VoIP calls, whether they are between employees in the office (and thus behind your enterprise firewall) or if they are from workers’ mobile and home office phones outside your network DMZ. Avaya Aura® Communication Manager lets you turn encryption on or off for such calls. The peace of mind you’ll enjoy will outweigh any potential hit on performance.
Companies are also starting to ensure that their annual independent security audits include testing of how vulnerable their VoIP and SIP networks are. We are seeing financial firms, airlines, and other global service companies starting to include this in their network assessments. Very soon, this will become mainstream.
The real panacea for your UC security woes is something called a session border controller (SBC). Like a traffic cop for your IP voice and video traffic, a properly configured SBC can enhance the performance of your VoIP/SIP network while protecting you from disaster.
Avaya offers just such an SBC. Moreover, that SBC is bolstered by proactive research from the VIPER Lab that enables threats to be anticipated and locked down years before they are discovered. And it comes in versions suitable for both Fortune 500 firms and smaller companies.
Ah! you say, but my carrier or SIP trunking service provider says it uses an SBC. Isn’t that enough to protect me? Actually, no. The main job of a service provider’s SBC is to protect its network from potentially malevolent traffic coming via YOUR leased lines. Protecting your enterprise from things like potential toll fraud is a secondary concern. That means that if a hacker successfully sniffs out your company’s VoIP network, he or she could likely successfully make thousands of short calls that rack up as much as $1,000 in toll bills in a few seconds. While a service provider’s SBC is unlikely to block such calls, an enterprise- controlled SBC can easily be set to do so.
Also, enabling your service provider’s SBC to protect your enterprise SIP/ VoIP network requires you to open up and share your full internal topology with your service provider. Not only is that counter-intuitive, but it would require an extraordinary amount of trust in your service provider. It would be like a homeowner giving ADT a map to all of the valuables in their home, including the code to their safe, in the hope that it would make their home safer from thieves.
The final analysis: Any enterprise that wants to protect its UC network needs to take all of the steps above, including deploying its own SBC. It is as much of a must-have as a network firewall for any company connected to the Internet.
Gil Stevens is Director of Avaya’s Session Border Controller product R&D team and the VIPER (VoIP Exploit Research) Lab. He has nearly three decades of telecom network experience with a passion for software quality and network security.
Gina Odean is National Director of Convergence at NACR, leads a team of highly certified Convergence Engineers who serve its customer base locally and globally. NACR is one of the largest Avaya channel partners worldwide and nine-time Avaya Business Partner of the Year. It is also the 2012 Avaya U.S. Services Partner of the year and a leading global integrator of business communications solutions and services.