Blog: VoIP Security Warning: A Hundred Flaws in Three Leading Vendors' Products?

Just how secure is your voice over IP (VoIP) telephony system? If it's from Avaya, Cisco or Nortel, you may be in for a surprise. According to new research, popular products from these leading vendors contain upwards of 100 flaws that could let nogoodniks access your corporate system and steal information, or even launch denial of service (DoS) attacks in attempts to extort money from your company's coffers.

The research was released by VoIPshield Laboratories, a division of Web telephony security vendor VoIPshield Systems, and it certainly makes sense that such a vendor would want you to think you should run right out and upgrade your VoIP security. But concerns over VoIP security aren't new. We've been writing about the issue at CIO for years, in fact. It seems to me that it's only a matter of time before the potential gain from hacking such systems surpasses the time and effort it takes to crack VoIP security safeguards.

Lawrence Orans, a Gartner research director, agrees. He says in a VoIPshield release that a lack of high-profile hacks or security breaches has largely lulled CIOs and CSO into a false sense of security.

A March survey of 299 IT professionals by market research firm In-Stat seems back this assertion. In-Stat found that though more than 80 per cent of companies have deployed some type of VoIP system across their organizations, more than half of them have no plans to secure those systems.

The vulnerabilities uncovered in the Avaya, Cisco and Nortel VoIP systems are listed on VoIPshield's website and are organized based on the most likely ways that the flaws could be exploited. For example some security flaws could be used to gain unauthorized access, execute malicious code, launch a DoS attack or steal sensitive data, according to the company.

The flaws were also given a severity ranking based on a "modified industry standard index," VoIPshield says. The vendor with the most vulnerabilities highlighted by the research was Cisco. Many of the vulnerabilities listed for the products examined, which include the Avaya Communications Manager 3.1.x and 4.x, Cisco Unified Communications Manager 5.x and Nortel Communications Server 1000 4.50.x, were ranked as "high" or "critical" severity.

VoIPshield says it listed the vulnerabilities as part of its "Responsible Disclosure Policy" to help the companies patch the holes in their wares, and the fact that they're publically available certainly puts pressure on the manufacturers to promptly address the issues. VoIPshield says that it chose to investigate Avaya, Cisco and Nortel products because they're commonly used in North America, but that it plans to probe other products from other VoIP vendors, such as Microsoft, in the future.

According to VoIPshield, it has notified Cisco, Avaya and Nortel with disclosure letters, and in some cases the problems have been addressed. It also uses the vulnerabilities to strengthen its own products.