An Ottawa firm that tracks security vulnerabilities in VoIP and unified communications systems has warned of a new threat IT managers should be on the lookout for, particularly if they use Microsoft Office Communications Server.
Standardized packet format media stream protocols (including real-time protocols) are now a target for security breaches, according to VoIPshield Systems Inc. CEO Rick Dalmazzi. This opens up a whole new realm of possible threats based on media stream attacks. “This new category sees things coming through the media stream, and actually through the packets voice call,” he said. “Up to now, all of our announced exploits involved attacking the IP PBX. These new attacks do not go through the PBX. They go directly from user to user.”
While the new issue also affects industry heavyweights like Cisco, Nortel, and Avaya (companies whose flaws have been pointed out by VoIPshield Systems before), Microsoft is yet another point of entry for the possible security bug, according to VoIPshield.
The Microsoft flaw affects Office Communications Server 2007, Office Communicator, and Windows Live Messenger products, which provide VoIP, presence, and instant messaging, and conferencing, VoIPshield said. The attacks would most likely be based on denial of service.
There could be added hiccups with solving a breach of this kind, as media packets often travel between peers, making it harder to keep track of. Dalmazzi gave an example of how this could happen: “If you and I were communicating by Microsoft Live Messenger, and I used the VoIP feature to call you, I could cause your entire computer to freeze up and necessitate a reboot.”
Mohammad Akif, security and privacy lead for Microsoft Canada, said that, after hearing about this breach (from Network World Canada) that he had raised it with his service team. “We are not aware of any attacks of this kind that customers have reported,” he said. “We are investigating this claim to verify it, and if it is true, the appropriate action to protect our customers.”
If there was a vulnerability, said Akif, it would be included and mentioned in the monthly patch release. A more serious flaw would merit an out-of-cycle update and general announcement.
This burgeoning trend is far from critical mass, according to Info-Tech Research Group research analyst Jayanth Angl. He said that there have been few reported attacks of hackers taking information out of VoIP or unified communications systems, as the few that do happen tend to be around denial of service still.
The media stream attacks announced by VoIPshield Systems, said Angl, are virtually unheard of, since they could require someone on the inside and a high degree of tech knowledge.
It may be far on the horizon, but this new threat is in addition to the growing list of VoIP-based threats out there, including availability attacks, confidentiality attacks, theft, toll fraud, and voice spam. Said Dalmazzi: “IT managers have to be responsible for VoIP systems now, so they really have to think of the security, especially with the new products and protocols coming out.”
In Canada, IT managers do indeed need to keep the risks on their radar. Angl said, “With unified communications, there’s also that opportunity for enterprises to federate their communications with partners and customers, and anything federated like that, concerns around privacy and security arise,” he said.
To keep the enterprise’s VoIP safe, both Akif and Angl recommend good patch management and keeping all software up-to-date.