The flaws could be exploited by a hacker to extort users via denial-of-service threats, industrial espionage through call recording, or identity theft by stealing sensitive customer information, according to VoIPshield.
VoIPshield said it notified the vendors of its findings earlier this year. Under the terms of the company's disclosure policy, VoIPshield is working with the three vendors to help recreate the vulnerabilities in their own test labs. It is also offering its services to assist the trio to find fixes for the bugs.
"The message is: enterprises need to take VoIP security seriously," Rick Dalmazzi, president and chief executive officer of VoIPshield, told SCMagazineUS.com. "For all the money and attention given to data security, people are putting in VoIP systems and not securing them anywhere near what they're doing with their data systems.
"We want to see VoIP networks treated the same way as data networks," he added. "VoIP networks are vulnerable to the same kinds of exploits, only those specific to voice."
The vulnerabilities in the three companies' products could allow an attacker to take over a VoIP phone system, use the phone system to distribute a worm or virus, or jump to a data network and steal sensitive information, Dalmazzi said.
VoIPshield lists the vulnerabilities on its website. According to VoIPshield, it has categorised each vulnerability based on an exploit's most likely malicious intent: unauthorized access, code execution, denial of service or information harvesting.
The company has also given each vulnerability a severity rating based on a modified industry standard index. Vendor responses are also included, indicating what action, if any, the vendor has indicated it plans to take to remediate the vulnerability, and when.
Dalmazzi said that VoIPshield has a strong working relationship with front-line technical professionals at the three vendors, and high-level support from Cisco.
Cisco, in fact, has "sent out a communication acknowledging all of the vulnerabilities and told us in most cases what they plan to do about them, and when," Dalmazzi said. "They've been very professional about it."
Executives at the remaining two companies, however, have taken a slightly different tack, he said.
Those at Nortel and Avaya have been "less than complimentary about what we're doing," he said.
An Avaya spokeswoman told SCMagazineUS.com that communications between the two companies hasn't been ideal.
"While they provided some information initially that allowed us to replicate some of the vulnerabilities in question, it wasn't until just this week that they contacted us with outstanding information that would enable us to complete full replication -- despite repeated requests from us," the spokeswoman said.
"In any case, the vulnerabilities are of moderate to low impact, and may be avoided entirely in some cases with proper configuration on the user side.The most high-impact issue was with an earlier version of a product that had been fixed in subsequent versions.”
A Nortel representative said the company plans to address the flaws but questioned VoIPshield's motives.
“While the issues raised by VoIPshield are not critical security threats, we take all such issues very seriously and will work to resolve them as soon as possible,” a Nortel spokesman told SCMagazineUS.com. “VoIPshield's focus seems to be much more about self-promotion than safeguarding network security. This is counterproductive to the industry.”
Cisco did not respond to SCMagazineUS.com's request for comment.
See original article on scmagazineus.com
Startup finds flaws in popular VoIP products
By Jim Carr on Apr 4, 2008 10:03AM