In this article:
Severity: High
Factor: Network Security
Summary
The Issue type Telephony/VoIP Device Accessible (telephony) identifies the endpoints using a Telephony/VoIP product.
Description
A Voice over Internet Protocol (VoIP) device is a communication tool that enables users to make phone calls using the internet rather than traditional phone lines. These devices utilize the Session Initiation Protocol (SIP) to establish, manage, and terminate multimedia sessions such as voice calls. SIP is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that involve video, voice, messaging, and other communications applications. VoIP devices can include hardware such as IP phones, analog telephone adapters (ATAs), and VoIP gateways, as well as software applications that run on computers or mobile devices. By leveraging SIP, VoIP devices facilitate the conversion of analog voice signals into digital data packets, allowing for efficient transmission and reception of voice communications over IP networks.
Risk
The primary risk associated with VoIP devices, particularly those utilizing SIP, is their susceptibility to a wide array of security threats. These threats include unauthorized access to communication channels, interception of voice data, eavesdropping, call spoofing, identity theft, denial of service attacks, and exploitation of software vulnerabilities. Hackers may exploit weaknesses in the SIP protocol or in the configuration of VoIP devices to gain access to sensitive information or to disrupt communication services. Additionally, the reliance on internet connectivity exposes VoIP devices to potential network-related risks such as bandwidth constraints, latency issues, and service outages. These risks pose significant challenges to maintaining the confidentiality, integrity, and availability of VoIP communications, potentially resulting in financial losses, privacy breaches, and damage to the reputations of individuals and organizations.
Recommendations
- Implement strong authentication mechanisms for VoIP devices.
- Regularly update and patch VoIP software to address security vulnerabilities.
- Encrypt voice data to protect it from interception.
- Configure firewalls and intrusion detection/prevention systems to monitor and control traffic to VoIP devices.
- Educate users about best practices for secure VoIP usage, including avoiding suspicious calls and messages.
- Monitor all remote connections to VoIP devices and telephony systems for suspicious activity and investigate any anomalies. If suspicious activity is discovered, take immediate action to prevent further damage.
Additional Information
The severity in Scoring 3.0 is High, this issue type had significant correlation with breach. It is based on breach risk and determined by SecurityScorecard based on SecurityScorecard data using ML/AI. See Scoring Methodology Whitepaper
The finding is based on the Product detected on a specific IP:PORT combination. A different IP, port or product will result in a different finding.
Self testing
- nmap using the banner script, for example here for a finding on 18.160.10.37:5061 with Tandberg-4137 VoIP server X12.5.7 product.
Platform:
Nmap:nmap -sV --script=banner -p 5061 18.160.10.37 -Pn
Remediation
SecurityScorecard allows the removal of findings if either of the following is true:
- The endpoint is closed and/or the product is not offered anymore
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - After verification (using the methods above for example), the endpoint defined in the finding does not offer any of the Telephony/VoIP product in the contrary of what SecurityScorecard is stating, or that the endpoint has all our recommendations applied
=> Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive".
Note: If the Telephony/VoIP product cannot be removed, or if the secure configuration cannot be implemented (for example the configuration of the endpoint cannot be changed due to business requirements or the service doesn't provide this feature), it is SecurityScorecard policy that the finding remains as-is, and you can add a Public Issue Comment to provide context to anyone following your scorecard. See https://support.securityscorecard.com/hc/en-us/articles/360056396471-Commenting-on-Issues for more information.