VoIPshield Laboratories has discovered over 100 security vulnerabilities in Voice over IP systems marketed by Avaya, Cisco and Nortel. A vulnerability is a design or implementation flaw in a VoIP system that can be exploited by a hacker with malicious intentions, including extortion through service outage threats, industrial espionage through call recording, or identity theft through the stealing of sensitive customer information.
VoIPshield notified the vendors of its findings earlier this year. Under the terms of its Responsible Disclosure Policy, VoIPshield works with the vendors to help them recreate the vulnerabilities in their own test labs, and offers its services to assist the vendors in determining the best remediation approach.
The vulnerabilities are cataloged and presented on the company's website at
http://www.voipshield.com/research. Each vulnerability is categorized based on an exploit's most likely malicious intent: unauthorized access, code execution, denial of service or information harvesting. Each is also given a severity rating based on a modified industry standard index. Vendor responses are also included, indicating what action if any the vendor has indicated they will take to remediate the vulnerability, and when.
The database marks the first of ongoing announcements that VoIPshield Labs will make as it continues its research into these and other vendors' products. Avaya, Cisco and Nortel were chosen for the initial round of research because of their popularity in the North American market. Microsoft has recently announced its entry into the enterprise VoIP market.
Just this month, communications research firm In-Stat revealed that while 80% of companies said they'd deployed some type of VoIP solution, more than 40% do not have specific plans for securing them. This finding, based on a survey of U.S. companies conducted in September 2007, was published in a report titled U.S. Businesses Lag in Securing VoIP. "Regardless of the VoIP solution that is in place or planned, security should be an integral part of an implementation from the beginning," the report summarized.
The vulnerabilities discovered are used by VoIPshield to create signatures for its enterprise VoIP security solutions: VoIPaudit, a VoIP Vulnerability Assessment system, and VoIPguard, a VoIP Intrusion Prevention System. Users are protected against attacks attempting to exploit the known vulnerabilities. VoIPshield products are regularly updated with new signatures through the VoIPshield Update subscription service.