Security Watch | Matt Hines » Researchers uncover 100 VoIP vulnerabilities

April 02, 2008 | Comments: (0)

Researchers uncover 100 VoIP vulnerabilities

TAGS: Security

We've been hearing for years that widely-used VoIP systems may hold large numbers of exploitable vulnerabilities, but a new report isolates over 100 specific flaws that researchers have found in the applications.

According to VoIPshield Labs -- the research division of VoIPshield, which markets security software for use in protecting Internet calling tools -- the issues unearthed in some of the most popular VoIP software packages, made by companies including Avaya, Cisco and Nortel, represent proof that such technologies require far more scrutiny by security experts and business users.

Among the flaws listed in the firm's new database of VoIP security threats are those that could be used for unauthorized access, code execution, denial of service or information harvesting attacks.

All of the vulnerabilities have already been disclosed to the affected vendors, but while a handful have already been patched, in most cases the VoIP applications providers are still working to fix the issues, according to the report.

At first glance, Cisco accounted for the largest number of the vulnerabilities, with many of the issues -- across all three vendors -- rated as being of either "high" or "critical" nature.

The key is getting ahead of the malware community on addressing the problem, VoIPshield officials claim.

"It's important that companies understand the security risks associated with their VoIP systems," Rick Dalmazzi, CEO of VoIPshield, said in a report summary. "Now is the time to start planning a protection strategy, while the hacking community is still learning about VoIP, not after the attacks begin."

The researchers cited another report recently published by In-Stat that concluded that while roughly 80 percent of all U.S. companies said they have already installed some form of VoIP, only 60 percent are doing anything to secure the tools.

Most VoIP attacks highlighted by the security research community thus far have had relatively limited scope, appearing in proof-of-concept state or being used much like traditional e-mail attacks to harvest end users' lists of contacts.

However, more advanced attacks, such as those that could be used to intercept users' conversations or drill through the applications into other areas of IT infrastructure, are coming, and companies must prepare themselves, analysts said.

"The limited number of high-profile attacks against IP telephony has lulled most chief information security officers and voice/data managers into a false sense of security, with the result that most do not have adequate protection for their converged networks," Lawrence Orans, analyst at Gartner, said in the VoIPshiled report.

"As IP telephony continues to gain momentum, targeted attacks -- and possibly broad-based attacks -- will surface and gain greater visibility, highlighting vulnerabilities and the overall lack of focus on IP telephony security," Orans said.

Posted by Matt Hines on April 2, 2008 08:31 AM

RATE THIS ARTICLE: