Because unified communications technologies, such as VoIP, are really just beginning to go mainstream, there simply has not been a lot of emphasis on the security risks that are associated with unified communications systems. Even so, implementing a unified communications system introduces some unique security risks that administrators may not have had to deal with in the past and may be ill-equipped to handle.
In fact, a recent SearchVoIP.com article, VoIP vulnerability threatens data, cited a rather serious vulnerability related to the SIP protocol. This particular vulnerability would allow an attacker to use a weakness in the SIP protocol to force a buffer overflow on machines running Windows XP Service Pack 2. In the past, this type of overflow attack was used only to crash soft phones, but the article states that a similar type of attack could be used to open a connection between the attacker and the victim's computer, which would essentially give the attacker full access to the machine. As a result, the attacker would be able to create, copy or delete files.
This is only one of dozens of known exploits against unified communications systems. The reason I mention this particular type of attack is that it illustrates the need for strong security for unified communications.
Even organizations that think they are secure should consider reevaluating their security mechanisms. Oftentimes, security mechanisms that are designed for traditional data networks cannot detect attacks against unified communications. That's because such attacks often make use of unified communications-related protocols, such as SIP, and traditional security mechanisms do not usually perform a detailed examination of such packets, which would allow attack signatures to be detected.
One cannot ignore the seriousness of attacks against unified communications systems. At best, such an attack might disable your company's phones. At worst, though, a unified communications-based attack could allow an attacker to steal or modify data, or eavesdrop on voice or video calls.
Unfortunately, I would have to write a good-sized book in order to cover all of the known exploits and countermeasures related to unified communications systems. Since I can't possibly tell you everything that you need to know, I'll at least show you where you can get information on how to secure your network against these types of attacks.
If your unified communications systems do not have an automatic update feature, I recommend checking the manufacturer's website at least once a week to see whether any security patches have been released or whether any security advisory bulletins have been posted. One thing to keep in mind, though, is that every manufacturer does things a little bit differently. Some manufacturers are very security conscious and post security information and patches on a regular basis. Others tend to neglect known security issues.
While researching this article, I found a post on a website indicating that the systems of one of the leading VoIP companies contained a major security hole. The company that discovered this vulnerability contacted the manufacturer, but the manufacturer has yet to even acknowledge the issue. I don't like to point fingers or name names, so I'm not going to name the manufacturer, but if you would like to see the post that I am referring to, you can find it here.
By far the best resource that I have found for information on vulnerabilities with unified communications systems is here. VIPER Lab is dedicated to discovering unified communications-related vulnerabilities and to making those vulnerabilities public. Some of the vulnerabilities that are listed on the site are specific to individual manufacturers, but others exist at the protocol level and are inherent to any unified communications product which uses that protocol.
Unfortunately, there is no easy way to secure your unified messaging systems. Some vulnerabilities affect almost all unified messaging systems, regardless of make or model, while other vulnerabilities are specific to certain brands. Until traditional firewalls and IDS systems evolve to the point where they can detect unified messaging-based attacks, your best defense is to monitor the various websites that I have mentioned in this article in order to arm yourself with the latest security information.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com..