Unified communications and its vulnerabilities

October 28th, 2011

Unified communications is a revolutionary technology that integrates many worlds of communication at one place. The way unified communications has converged many services is something unprecedented. You can get all the great features of unified communication like instant messaging, video conferencing, data sharing, electronic whiteboards, and call controls etc through one service. Recent developments in the VoIP industry have made it possible to integrate VoIP with the unified communications. Key VoIP service providers like Packet 8, Axvoice, and Nextiva have already integrated unified communications in their phone services. One unique advantage of integrating unified communications is that you can access them through different devices. A key benefit of unified communications is that the end-user can respond to any type of incoming communication within no time. You will also be able to view one type of communication on a different type of device originally received on another device in a different data format.

Vulnerabilities of Unified Communications

Unified communications are vulnerable to different types of attacks. Let us review these threats which can exploit the weakness of unified communications.

Denial of Service Attack

This is one of the most commonly used ways of attacking unified communications. The attacker can use different attacking techniques to target the end user or even the servers involved in carrying out the whole process. The attacker usually uses SIP messages for the denial of service attack. The attacker waits for an incoming call to a phone user. Once the INVITE has been received by the end user, the attacker immediately sends the cancellation request. Resultantly, an error is generated by the invitee’s device and the call is ended. The main purpose of this attack is usually to disrupt the service. If the end user receives these kinds of calls repeatedly, the unified communication environment can direct the calls to other routes like email, voicemail, message store etc. The other dangerous type of denial of service attack occurs when the dialog is initiated between the two users. The end result is the BYE attack in which the call ends before it starts. This attack is also geared towards disruption of the service.

These both kinds of denial of service attacks can be overcome by a well designed SIP device. An intelligently built SIP device should be able to recognize if a CANCEL or BYE request is initiated by the end user or not. In the same way a private network directed through the UCS is not normally vulnerable to this kind of attack.

Eavesdropping

One of the key features of unified communications is that the end user can send the other user a RE-INVITE in the middle of a conversation for changing the type of communication. This RE-INVITE could also mean change in the location of the conversation. In this change of location, during the RE-INVITE, the attacker many invite someone else to join the conversation as well. The best way for the end user to shield himself from this kind of attacks is to only accept these kinds of invitations from the user who he really trusts. End user is strictly prohibited to send extremely confidential information like credit card number, passport number and other personally identifiable information unless very sure about the intent of the user at the other end.

Message hijacking

This is one other dangerous attack on the end-user. In this particular type of attack all the messages that are sent to the attack are re-sent to some undesirable user or users. The messages may contain very important information like meeting dates, critical document drafts, or other sensitive data. Only share this kind of information through secured means and only with known trusted users at the other end.

Prevention measures

Usually advanced unified communication systems implement a proper authentication system before enabling end to end communication. There needs to be a secure connection between the client and the server by matching the exact security protocols supported by each one of them. Encryption of the communications is one way of ensuring the security of the data travelling between two mediums. Secondly, all devices that are requesting authentication with the unified communication systems first need to be properly and clearly identified before any such permission is granted. A SIP aware firewall installed can also be deployed which can evaluate the SIP headers to ensure their compliance with RFC. Lastly standard techniques should be deployed to protect email servers, voicemail servers, and gateways which are critical to the unified communication environment security.


This was a guest contributed article. Create a FREE account to submit your article today.
Author: Robert Showerma

4 responses to “Unified communications and its vulnerabilities”

  1. Ben Hersh says:

    To be frank, I am not impressed with that news. In fact they continuously keep on doing such things. The aim of this useless activity is not to produce or update the performance of the product but just to be a part of the news. Yes this is what skype people do. They do nothing but look busy.

  2. Alonzo Jose says:

    yes updating the security software on a VoIP service is a task that demands careful hands. It is easy for a small VoIP service provider to update its security software but very difficult for those who have millions of users. Unfortunately, most of the large providers keep on post posting this task.

  3. Sidney says:

    Yes updating a security software has not remained a very difficult task. All you need is to spend some money. Most of the VoIP service providers eary very good profits but they don’t want to spend suficient money for the security of their system. Often such providers have to pay very heavy price for that negligence.

  4. B says:

    You can avoid all a large amount of issues if you segment your phone system from your users. If your making sure only phones have access to your phone system you just cut most issues out of the picture. Too bad Shoretel doesn’t let you really do that if you want to use the communicator!

Leave a Reply

Your email address will not be published. Required fields are marked *

VoIP Directory

drvoip directory

Ask DrVoIP

ask drvoip

Network Readiness Assessment

drvoip readiness checklist

Is your network Ready?

Complimentary free download - DrVoIP VoIP Network Readiness Assessment Checklist (pdf)

Download Now ›

DrVoIP Planning Guide

voip planning guide

DrVoIP Planning Guide

A plain language VoIP guide for the business professional. (pdf)

Download Now ›

DrVoIP ShoreTel ECC Planning Guide

ecc planning guide

DrVoIP ShoreTel ECC Planning Guide

Complimentary free download - DrVoIP VoIP Network Readiness Assessment Checklist (pdf)

Download Now ›

Training Videos

shoretel ipbx cisco cusm
shoretel ecc audio voice prompts
cisco uccx call back option
generic call queue cc admin
   

statcounter



free
web stats


© Copyright DrVoIP.com 2017
Follow DrVoIP