Thursday, September 19, 2019

What Is SIP Trunking, and Should Your Business Use It? - Business News Daily

What Is SIP Trunking, and Should Your Business Use It? - Business News Daily


What Is SIP Trunking, and Should Your Business Use It? - Business News Daily

Posted: 18 Sep 2019 05:15 AM PDT

image for fizkes / Getty Images
fizkes / Getty Images
  • SIP trunking can significantly cut costs and increase reliability for your business phone system.
  • To determine the right service for your business, you need to research and carefully assess your business's communication needs.
  • SIP trunking pricing is based on several factors, like your vendor and add-on features.

As a small business owner, you're always looking for ways to cut costs and optimize your business. SIP trunking is an increasingly popular way for businesses to minimize their phone costs and improve their telecommunication bandwidth, but it can be a difficult service to understand. We broke down what SIP trunking is and how you know if it's right for your business. 

To put it simply, SIP trunks are virtual phone lines that allow you to make and receive calls over the internet to anyone in the world who has a phone number. 

SIP stands for Session Initiation Protocol, a popular telephony protocol that initiates calls over the internet and is primarily used to manage multimedia communications, like voice and video calls. SIP establishes and terminates the connection for a phone call, controls the transfer of data, and is what enables services like Skype and Facebook Messenger to provide free calling anywhere around the world.

A "trunk" is a line or link that carries signals and connects nodes in a communications system – in other words, a pipe that carries the data channels inside it to connect two locations.

SIP trunking is a method of sending voice and other communications over the internet through an IP-enabled private branch exchange (PBX), which is a telephone system within an enterprise that switches calls between users on local lines while allowing them to share the use of external phone lines. A PBX cuts down on costs by avoiding the need for each user to have a line to a telephone company's central office. SIP can be used to send and receive local and long-distance calls, text messages, and emails; browse the internet; and conduct video chats.

SIP trunking replaces the traditional method of the public switched telephone network (PSTN), which is a copper-wire, circuit-switched network that requires a physical connection between two points to make a call. Instead, SIP trunks use a packet-switched network, which breaks down voice calls into digital packets and sends them over a network to their destination.

Editor's note: Looking for the right business phone system for your company? Fill out the below questionnaire to have our vendor partners contact you about your needs.

buyerzone widget

Each SIP trunk can hold an unlimited number of channels. A channel, or line, is equivalent to one incoming or outgoing call. Because each trunk can hold as many channels as necessary, a business would only need one SIP trunk – no matter how many calls you have coming in and going out at one time. The more phone calls you have running concurrently, the more trunk channels you will need.

When looking for a SIP service provider, make sure you have a good estimate of how many channels you will need to get an accurate quote, since many vendors only charge you for the number of channels you need.

SIP and VoIP (Voice over Internet Protocol) are similar in many ways, but they cannot be used interchangeably. "VoIP" is a broad term that can describe any internet-based phone service (including SIP), but SIP is a specific protocol that enables VoIP by establishing start and end points and defining messages during a call.

The greatest benefit of using SIP trunking as your business phone system is that it is highly cost-effective. This is due to many reasons, but mainly because it eliminates the costs of long-distance calling. If your business often makes phone calls across the country or the ocean, SIP trunking may be the answer for you.  

SIP also eliminates the use of both data and telephone voice networks. Because SIP is IP-based, you can enjoy one centralized network with multiple digital streaming capabilities that is easily scaled and requires no physical infrastructure, which means no maintenance or hardware costs.

The removal of the PSTN gateway allows the SIP trunk to connect directly to your chosen internet telephony service provider (ITSP), removes subscription fees, and gives you greater flexibility in how you scale your telecommunications services by providing more bandwidth increment options at lower rates.

A SIP trunk enables all calls to be local calls by carrying them over the internet, avoiding the costs of international or long-distance calls. The SIP trunk sends the call to the provider's termination point, where the call is transferred to a local PSTN, therefore only charging you for a local call.

To compete with ITSPs, many SIP trunking providers have added services such as ENUM, or telephone number mapping, which allows you to use the same phone number no matter where you are in the world. They also offer the elimination of 800 numbers by providing a local number based on your location.

SIP trunking is flexible and easily scalable, with an unlimited number of channels allowed per trunk and no physical installation or setup necessary. New channels can be added and enabled within hours.

SIP trunking services tend to be far more flexible and resilient than legacy phone systems in a disaster Whether it's a network failure, natural disaster or hardware problem, most services will have measures in place to make sure you can still place calls. These may include geographic redundancy, routing calls to different locations or data centers, or dispersed network operating centers.

Your SIP trunking service will also help you create a disaster preparation plan on your end, including steps such as routing your calls to a different predetermined number, using a backup trunk provider, or having a cloud system ready for backup.

To transition from a traditional phone service to SIP trunking, start by determining how many channels you need. This will depend on the size of your business and how many phone calls you think will be going at once.

For example, companies with 100 people or more should follow the 3-to-1 rule: For every three employees making calls, you should have one SIP channel. Companies with fewer than 100 employees will need more channels, because you are more likely to have multiple people using the phone at one time in a smaller office.

Next, assess whether you have enough bandwidth and a robust enough network to support a SIP service. Also take inventory of whether you will need to replace any desk phones with SIP-enabled IP phones.

Once you have an idea of the number of channels you'll need, you can start collecting quotes. Some of the best SIP trunk providers are 8x8, RingCentral, Jive and Nextiva.

Be sure to ask about a Session Border Controller (SBC), which acts like a firewall for SIP traffic and provides security against hacking and denial-of-service (DoS) attacks.

When you call vendors for SIP trunking prices, be sure to ask about setup fees, required equipment and monthly service fees. Most businesses can expect to save around 75% on telecommunication fees by switching to SIP trunking. The prices you're quoted will also vary, depending on how many IP-enabled handsets you will need and if you want to add extra features like video conferencing or forwarding to mobile devices.

These will be your main costs for SIP trunking:

  • Subscription, which includes the price per channel
  • Calling rates, which is the cost per call or per minute for outbound calls
  • Add-on costs for extra features
  • Setup fees

For SIP trunking services, the average outbound call rate in North America ranges from 0.5 cents to 3 cents per minute. The average cost per channel is between $1.67 and $15 per month. Unlimited SIP trunk channels range from $19.99 to $29.99 per channel.

A cloud-based VoIP system can cost anywhere from $10 to $75 per user per month, whereas a traditional, on-premises phone system can cost several thousand dollars in one-time fees for equipment and installation and several hundred or several thousand dollars in monthly fees, depending on your call volume.

Latest Innovative Report on VoIP Phone Systems Market by 2025 | Top Key Players like Alcatel Lucent, AT&T, Cisco, Citrix, Deutsche Telekom, Ribbon Communication, Google, Huawei, Microsoft, Orange, Telenor, ZTE, Nextiva, RingCentral, Verizon, Vonage, 8×8, Avaya, Mitel, and Jive Communication - Indian Columnist

Posted: 18 Sep 2019 10:15 AM PDT

The VoIP market growth is attributed to factors such as efforts taken by government agencies & private companies for the development of the wireless communications infrastructure and the increased adoption of cloud-based VoIP services due to cost-efficiency. Businesses with poor communication infrastructure face issues such as low audio quality and long delays that can adversely impact their productivity. Thus, they migrate from traditional phone systems to cloud-based phone systems, which are tailored to handle voice mails & calls to enable smooth communication. As technology supports voice & video communications over the internet, enterprises are widely using such solutions to enable high business performance through a more reliable and routable calling services & reduced maintenance.

The global VoIP Phone Systems market is expected to expand at a CAGR of +12% over the forecast period 2019-2025.

The report, titled Global VoIP Phone Systems Market defines and briefs readers about its products, applications, and specifications. The research lists key companies operating in the global market and also highlights the key changing trends adopted by the companies to maintain their dominance. By using SWOT analysis and Porter's five force analysis tools, the strengths, weaknesses, opportunities, and threats of key companies are all mentioned in the report. All leading players in this global market are profiled with details such as product types, business overview, sales, manufacturing base, competitors, applications, and specifications.

Top Key Vendors in Market:

Alcatel Lucent, AT&T, Cisco, Citrix, Deutsche Telekom, Ribbon Communication, Google, Huawei, Microsoft, Orange, Telenor, ZTE, Nextiva, RingCentral, Verizon, Vonage, 8×8, Avaya, Mitel, and Jive Communication

Get Free Sample Copy of this Report @

https://www.a2zmarketresearch.com/sample?reportId=57013

The VoIP Phone Systems market comprises in-depth assessment of this sector. This statistical report also provides a detailed study of the demand and supply chain in the global sector. The competitive landscape has been elaborated by describing the various aspects of the leading industries such as shares, profit margin, and competition at the domestic and global level.

Different global regions such as North America, Latin America, Asia-Pacific, Europe, and India have been analyzed on the basis of the manufacturing base, productivity, and profit margin. This VoIP Phone Systems market research report has been scrutinized on the basis of different practical oriented case studies from various industry experts and policymakers. It uses numerous graphical presentation techniques such as tables, charts, graphs, pictures and flowchart for easy and better understanding to the readers.

Different internal and external factors such as, VoIP Phone Systems Market have been elaborated which are responsible for driving or restraining the progress of the companies. To discover the global opportunities different methodologies have been included to increase customers rapidly.

Get Upto 20% Discount on this Report @

https://www.a2zmarketresearch.com/discount?reportId=57013                 

Table of Content:

Global VoIP Phone Systems Market Research Report 2019-2025

Chapter 1: Industry Overview

Chapter 2: VoIP Phone Systems Market International and China Market Analysis

Chapter 3: Environment Analysis of VoIP Phone Systems.

Chapter 4: Analysis of Revenue by Classifications

Chapter 5: Analysis of Revenue by Regions and Applications

Chapter 6: Analysis of VoIP Phone Systems Market Revenue Market Status.

Chapter 7: Analysis of VoIP Phone Systems Industry Key Manufacturers

Chapter 8: Sales Price and Gross Margin Analysis

Chapter 9: Marketing Trader or Distributor Analysis of VoIP Phone Systems.

Chapter 10: Development Trend of VoIP Phone Systems Market 2019-2025.

Chapter 11: Industry Chain Suppliers of VoIP Phone Systems with Contact Information.

Chapter 12: New Project Investment Feasibility Analysis of Market.

Chapter 13: Conclusion of the VoIP Phone Systems Market Industry 2024 Market Research Report.

Buy This Report @

https://www.a2zmarketresearch.com/buy?reportId=57013                

About a2zmarketresearch:

The A2Z Market Research library provides syndication reports from market researchers around the world. Ready-to-buy syndication Market research studies will help you find the most relevant business intelligence.

Our Research Analyst Provides business insights and market research reports for large and small businesses.

The company helps clients build business policies and grow in that market area. A2Z Market Research is not only interested in industry reports dealing with telecommunications, healthcare, pharmaceuticals, financial services, energy, technology, real estate, logistics, F & B, media, etc. but also your company data, country profiles, trends, information and analysis on the sector of your interest.

Contact Us:

1887 WHITNEY MESA DR HENDERSON, NV 89014

+1 775 237 4147

[email protected]

VOIP phone system harbors decade-old vulnerability. - The CyberWire

Posted: 07 Sep 2019 12:00 AM PDT

VOIP phone system harbors decade-old vulnerability.

Saturday, September 7, 2019

Researchers at McAfee's Advanced Threat Research Team recently published the results of their investigation into a popular VOIP system, where they discovered a well-known, decade-old vulnerability in open source software used on the platform. 

Steve Povolny serves as the Head of Advanced Threat Research at McAfee, and he joins us to share their findings.

The original research can be found here:

Transcript

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:21] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats. Juniper is connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution, enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Steve Povolny: [00:01:53] This was kind of a fun one, kind of an interesting one, since Avaya – and specifically, their VoIP phones – are so popular and so widely deployed.

Dave Bittner: [00:02:02] That's Steve Povolny. He's the Head of Advanced Threat Research at McAfee. The research we're discussing today is titled, "Avaya Deskphone: Decade-Old Vulnerability Found in Phone's Firmware.

Steve Povolny: [00:02:13] We got interested in this specific platform, one, because obviously it's so ubiquitous and it's used so globally. And two, because it's primarily deployed in businesses and large enterprises as a desk phone. And, you know, as a research group, Advanced Threat Research, ATR, we kind of approach new projects from two perspectives. The first being we're trying to uncover and, you know, quote unquote, burn as many security flaws and vulnerabilities as we can across software and hardware platforms. So, from that perspective, being able to make a big impact across this industry of deployed devices was really interesting for us and made for engaging research.

Steve Povolny: [00:03:00] On the flip side, we're a small, dedicated team, so obviously we can't tackle everything. So part of what we do with any piece of research once we find something that's relevant is in addition to just getting the flaw or vulnerability fixed, we actually work to build a full end-to-end demo, show what the actual bad guy could do with it, and then really get that awareness out there and make sure that people understand what the impact is. And it's that level of awareness and insight into the problem space that's almost more important than just fixing individual bugs again. So, long story short, I guess we kind of get interested in it ultimately because of how widespread it was and because of the areas that it's used primarily in large enterprises.

Dave Bittner: [00:03:43] Yeah, I can't help picturing in my mind, you know, someone from your research team sitting there at their desk and glancing over at the phone and their eyebrows raising and going, "Hmmmm..."

Steve Povolny: [00:03:51] (Laughs) What could you do with this network-connected device that is recording calls and listening to calls, right?

Dave Bittner: [00:04:01] Right, Exactly. Exactly. Well, I mean, let's dig in here. And for folks who might not be familiar with how these phones work and sort of what's going on with them, can you give us a little overview?

Steve Povolny: [00:04:12] Yeah. So these are, of course, network-connected devices, which is why they're called VoIP phones, or Voice over IP, is that all of the data that's transmitted for your calls is going across the network, similar to many phones, but across an IP-based network share. And ultimately, you know, what that means is if someone is able to get onto the same network where these phones are deployed, which is typically an internal business network, or sometimes even a guest network, if they are connected to it and is able to compromise something in the phones, you know, they might be able to actually pivot to other devices on the network, control all the phones at once.

Steve Povolny: [00:04:54] Or ultimately, what we did with the scenario is leveraging the ultimate vulnerability that was found, eventually basically using it to tap and record network traffic, including calls. We thought that was probably the most interesting scenario from the threat actor's perspective, in terms of being able to not just, you know, surreptitiously steal call data, or record call data, but also potentially to deploy something like malware to all the devices, or ransomware. And, you know, in a large organization that heavily relies on their enterprise phones, you know, there's a fairly good chance that that ransom could be effective while they keep users locked out of their phones. So, we kind of approached it from that perspective of both delivering a payload of ransomware, as well as exfiltrating call data, you know, over the Internet.

Dave Bittner: [00:05:42] Yeah, it strikes me, too, that this is a device, like we said, it sort of sits on someone's desk, and in a way, it's kind of invisible. It's sort of out of sight, out of mind. As long as it's working, it's not something you really think about very much.

Steve Povolny: [00:05:56] People forget that these are just computers, right? And Philippe Laulheret, who was the primary researcher on this one, you know, looked at this thing instantly, and instead of seeing a phone that makes calls, he sees a computer sitting on his desk, that's plugged into the network. And so this is similar to any other type of IoT device now that has become network-based, and of course, phones have been connected to networks for a very long time now. But you're absolutely right – this is typically an oversight both from a security perspective as well as from just a monitoring perspective. So it makes for an enticing target for cyber criminals looking to pivot and find a way into the network. It makes for a really ideal type of a target.

Steve Povolny: [00:06:39] Well, let's walk through together what your team did here. There's some interesting aspects to it, both hardware and software. Where do you want to begin?

Steve Povolny: [00:06:50] So first and foremost, we take the lazy approach whenever possible – or the low-hanging fruit, if you want to be politically correct.

Dave Bittner: [00:06:57] (Laughs)

Steve Povolny: [00:06:58] Now, we're trying to look at a network interfaces. We're trying to see if the software or firmware can be just freely downloaded over the Internet. In this case, we could actually access the firmware just by downloading it on the Internet. But with many cases, in many of our research projects, you have to be a customer or you have to use some social engineering to get access to the firmware, or maybe it's only delivered, you know, sometimes even in physical medium.

Steve Povolny: [00:07:25] So, in this case, we were able to get the firmware easily, but the researcher wanted to be able to essentially access the underlying operating system and be able to do some interactive testing with it. So, instead of just testing the firmware for vulnerabilities or flaws similar to a normal software project, he actually opened up the phone – physically opened it up – and started working with the actual hardware and the boards inside the phone to see what he could learn. And ultimately, had he not taken this approach, we would not have come across the vulnerability that existed in the phone for over ten years.

Steve Povolny: [00:08:04] So, the process here was open up the phone and do what's called connecting to debug ports. And often there's hardware interfaces on the inside of a computer like this that the developers either leave in there intentionally so that they can debug issues in the field, or sometimes, you know, they're doing QA or debugging in the manufacturing process and they forget to close them down, and they can be accessed later. Long story short, what this means is a researcher – whether, you know, a white hat researcher or a black hat researcher – can ultimately access interfaces to the phone and backend system on the phone that they probably shouldn't be able to access.

Steve Povolny: [00:08:44] In this case, Philippe was able to directly connect to the phone's hardware and use it to load a root, or kind of system admin-level shell on the box, just by soldering some wires on there. And we spent a lot of time in the blog when we released this research talking about educating people who are interested in this type of research on just how you do that, how you go about connecting to those hardware debugging interfaces – what's interesting, what are you trying to retrieve from them. And ultimately, it leads to the fact where you can start to poke around now on the operating system in the file system of the computer in the phone.

Steve Povolny: [00:09:25] And what Felipe was able to do then, by having a root shell, was do some basic vulnerability scanning and some privileged poking around, I guess, for lack of a better term, to see what he could find. Ultimately, what he found was a piece of code that had not been updated in over ten years – he could tell that from the copyright on the banner of the code – and that led him to start to search for, you know, more of an existing vulnerability versus trying to find something new since this was such old code and such un-updated code.

Steve Povolny: [00:10:00] And then finally to come full circle, you know – and we're keeping a fairly high level for now – but to come full circle, he was able to find a vulnerability that had been publicly reported in open-source code about ten or eleven years ago, which is the DHCP client responsible for providing an IP address to the phone, and Avaya had actually taken that public open-source code, forked a version of it, and put it in their product. And unfortunately, the version of the code that they implemented their product was the one that did not have the patch in it. So, there were some older specs from the vendor here in terms of baking in the existing security, the patches that were available, and that went unnoticed for a period of ten years until Philippe kind of stumbled across this bug.

Dave Bittner: [00:10:44] So this wasn't a matter of, you know, me having a ten-year-old phone sitting on my desk – this was an old version of some open-source software that was just still being reused in modern code?

Steve Povolny: [00:11:00] Absolutely, yeah. These phones are still sold and widely distributed. I want to say there is an end-of-life plan for them coming up here, but they're still one of the most popular desk phones used across major enterprises, this specific version. And exactly as you said, this is not an old phone. It's a newer phone with an older code base on it, and had Avaya properly forked the patched version of the DHCP client into their phone, this vulnerability would not have been there, and we would have had been looking for, you know, a new vulnerability or what's called a zero-day vulnerability – something that hadn't been reported to the industry before.

Steve Povolny: [00:11:40] So, this is kind of a unique scenario where actually, you know, a vulnerability that's quite well-known from an industry perspective was completely unknown from a product perspective, and because of that, there's actually existing exploit code out there already written to take advantage of this exact vulnerability. So, for the researcher, it was quite easy to, you know, once he found that, build a proof-of-concept and take that to the extent of fully compromising the phone. And I'm sure we'll talk a little bit about what the impact of that exploit is.

Dave Bittner: [00:12:13] Yeah, absolutely. Before we get to that, I think it's worth pointing out that from a hardware side of things, this was not a matter of needing a significant investment, spending a lot of money on the gadgets that you needed to sort of hose yourself up to this phone. It was not expensive.

Steve Povolny: [00:12:32] Right. No, the expensive part is the time it takes to learn the skills, right? The overhead it takes to become good at – you know, if you look at some of the blog content and how the researcher actually connected to the phone, you'll see there some very, very fine little soldering wires involved there. You have to be able to analyze the internal components of the hardware and know which chip is what, and which board is what, and how to connect different pins and pinouts. But from an investment perspective, I think our net investment was probably in the range of five or ten dollars for some copper wire. And you know, we did have some additional hardware that kind of facilitated made the process a lot easier, but not overall necessary to being able to connect to the internals of a computer and pull useful information. And just like, you know, anything else, the more you spend, the easier it gets, generally speaking. But you're absolutely right. This is something that most people can do for pretty low cost.

Dave Bittner: [00:13:36] Now, the phone system itself was running a Linux system, which is interesting – certainly not uncommon, but opens up all sorts of avenues for exploration there as well.

Steve Povolny: [00:13:48] Absolutely. And this is pretty common for embedded devices and IoT in general, especially, you know, phone systems will run Linux or some kind of a version of the Linux kernel here. And, you know, it once Philippe had access to the kernel and had elevated privileges on the operating system, you know, there's two approaches you could take. One is to look for existing vulnerabilities, which again, is kind of that low-hanging fruit. If you find something that's already out there that hasn't been patched or fixed, in a way that's just as good as finding a zero-day vulnerability that nobody knows about, because in practice, it's exploitable in the exact same way, and a patch still needs to be developed. So, that's one approach to take and something we typically do when we drop into some elevated privileges like Linux kernel here. On the flip side, you know, had that not been successful, there are a number of tools that allow you to test and to penetration test and look for vulnerabilities and exploit them on both Windows and Linux and other operating systems at the level we're talking about here.

Dave Bittner: [00:15:02] What is the range of possible exploits that you all explored here? What sort of things were you able to do when you had that root level?

Steve Povolny: [00:15:10] Well, once we had the root shell on what's called the EEPROM, which is one of those hardware interfaces to the operating system, the vulnerability was pretty quickly found. So, again, Philippe just kind of – after looking around a little bit and seeing a copyright of 2004 to 2007, kind of got wind of the fact that we were running some – or that the device was running some pretty old code here. And the vulnerability itself, you know, for researchers in the industry, probably already familiar with it. I know Philippe kind of remembered it, it just kind of triggered his memory based on having seen it a number of years ago.

Steve Povolny: [00:15:51] But either way, you know, at this point, you could run a full end-to-end vulnerability stand, you know, looking for all existing CVEs or vulnerabilities that have been published, see what comes up. We really kind of stopped once we found this vulnerability, and the researcher decided, you know, why go any further? We have a root shell on the device, we've got a vulnerability that's unpatched, and we've got a target that's deployed, you know, very widely in enterprise environments. And we decided then to kind of pivot and start using that to build the demo.

Steve Povolny: [00:16:24] Ultimately, as I mentioned earlier, we thought there was two really impactful scenarios here, and we can go into detail on both of them. The first one was, of course, we've built a proof-of-concept just to demonstrate the vulnerability, and Philippe used (Laughs) he used my face to load on the startup screen or the flat screen of the phone, just to show that you had remote code execution and could replace images on the phone. I don't think any realistic attacker is gonna be so kind as to tip you off that way, but it was a great proof-of-concept.

Steve Povolny: [00:16:56] From a realistic perspective, we decided there's two really tangible scenarios that someone would use if they found this vulnerability unpatched. The first, as I mentioned, would be deploying malware or ransomware. And kind of the sky's the limit in terms of what you could do here. You could use it just simply to gain a backdoor on a number of internal systems to use it as a device to pivot to more critical systems on the internal network, especially if the phone system is on a protected, you know, kind of a non-open, non-guest network where there's other sensitive devices, that this becomes a really interesting kind of permanent or semi-permanent backdoor into your network. That's one way that we see a lot of vulnerabilities and exploits being used, is just as backdoors in the network and kind of maintaining persistence there to attack other targets.

Steve Povolny: [00:17:50] From the actual phone perspective, we thought, well, wouldn't it be cool if you could actually enable the internal microphone through the use of this exploit and either call or record or spoof calls outbound? And that's the demo we built and kind of run in our lab here, is we exploit the vulnerability to turn on the internal microphone. And essentially, it'll not only capture, of course, call data when a call is being made, but it can just capture ambient room noise or background noise. So, if this thing is deployed on the table of your boardroom for a critical boardroom meeting and the vulnerability is exploited, we can be listening and even exporting all of that data, all of that audio data, out of the network back to a server, a computer that we control. And we thought that was a really interesting targeted scenario for surveillance and spying activities, as well as gaining kind of privileged information to a –what should be really a highly confidential conversation.

Steve Povolny: [00:18:53] And those are the two demos that we built. So really, we kind of have a simple demo where Philippe just kind speaks and talks into the phone, and about a second or two later, you kind of see the call recording happening in real time and the data being exfiltrated out over the Internet.

Dave Bittner: [00:19:06] In order to exploit this phone, to get the access that you got, was it necessary for you to have access to the hardware itself, or could this have been done remotely?

Steve Povolny: [00:19:17] That's a great question, Dave. So, we decided to – the answer is no, we did not actually have to have access to the hardware, and that's really important here, because obviously it would mitigate the finding significantly if you need to sneak into a building, open up the phone, and tap it. At that point, you might as well just install a tap, right? So, this is a network-based attack, meaning you don't have to have any physical access with a phone – you just need to be on the same network.

Steve Povolny: [00:19:46] The reason we spent so much time on the hardware side of things is more from an educational perspective. So, we want to be able to teach researchers who are interested in helping secure this space and interested in finding additional vulnerabilities and responsibly disclosing them, to be able to build the skill set and understand the approach that goes into hacking into these kinds of devices. And with that often is the hardware approach. So, had we not been able to download the firmware freely over the Internet and, you know, if Avaya decides to lock down those firmware and download in the future, this would be the tactic or the technique that the bad guys would actually use to figure out whether there are vulnerabilities on the set and ultimately how to exploit them. So, really gaining access to the hardware interface is just the means to the end to understanding what the attack surface is and how to pull it off, it makes it easier to get the firmware, the filesystem, the memory content to do that kind of research and analysis. But ultimately, as far as exploitation, it's completely unnecessary – you just need to have access to the network that these devices are deployed on.

Dave Bittner: [00:20:55] Now, you all did reach out to Avaya, and they were responsive, and they've since published a patch.

Steve Povolny: [00:21:01] Yes. They've been a great partner to work with. And we think that one of the things that's part of a research organization is that McAfee's ATR, Advanced Threat Research, always, always works with the vendor to do what's called responsible disclosure. So, when we find a vulnerability – and sometimes we've been working with vendors well before we find a vulnerability through partnerships. In this case, we reached out to Avaya just as soon as we found the vulnerable code, and we had a number of ongoing discussions with them over the next few months while they worked on getting a patch ready and updated.

Steve Povolny: [00:21:37] And we have to really commend them for the speed they worked at, the way they embraced the research. You know, kind of the collaboration throughout the whole process really demonstrated what we always hope to achieve, which is that strengthening that researcher and manufacturer/vendor relationship. And to me, that's really ultimately one of the most important things that we have the opportunity to change in this industry. Instead of just throwing the vendor under the bus and reporting bugs and, you know, and making the vendor look bad, what we're actually trying to do is change the paradigm so that we're now working as a team, as a single unit, and that the white hat research community comes together with the manufacturers, developers, and vendors. And ultimately, we're doing the research that leads to the development and production of better and safer products. And this was a great example of that.

Steve Povolny: [00:22:30] And I'll just add that, you know, the patch was released in late June of 2019. We did do both static and dynamic testing of it to confirm that the patch was effective and that the mitigations that we kind of recommended to Avaya were properly implemented. And, you know, happy to say that that patch is effective. We think it's really important that especially large enterprises prioritize the roll out of this patch. Sometimes devices like this can be an oversight in a large corporate environment, and as we talked about earlier, phones tend to not be the primary type of computer system that your IT or SOC is actually patching. But you can kind of see from the impact statement, from the demo, and from the conversations we've had, that these should be treated as just as sensitive as any other critical server in your environment, whether those are used as an access point or a pivot point, or whether they're directly attacked. These, again, are computer systems that allow you to gain privileged access into a privileged network, and ultimately to achieve some pretty nefarious purposes. So, we're strongly advising that anyone who uses these phones get those patches updated quickly after getting the patch tested.

Dave Bittner: [00:23:48] And I suppose there's a bigger lesson here as well that, you know, even if you have your devices patched and up-to-date, that there could be things still lurking in there that have yet to be discovered.

Steve Povolny: [00:24:00] Absolutely. It would be remiss to say that fixing one vulnerability would overall make a product secure. And again, this comes full-circle to what we started to call with here, which is, you know, the reason, the nature of why we do vulnerability research at McAfee is to push this industry forward as a whole, to encourage researchers to work with vendors, to do analysis of these types of products, to overall harden the attack surface, because we can guarantee that there are others out there – whether they're individuals, whether they're nation-state, whether they're groups of individuals working together – that are well-funded, have significant resources and time, that are attacking and looking for these exact types of flaws. So it's kind of a race to see not only who can find them first, but overall who can be successful in this battle of securing [INAUDIBLE] vulnerabilities are found. And ultimately, that's our goal in this process.

Dave Bittner: [00:25:00] Our thanks to Steve Povolny from McAfee's Advanced Threat Research Team. The research is titled Avaya Deskphone: Decade-Old Vulnerability Found in Phone's Firmware." We'll have a link in the show notes.

Dave Bittner: [00:25:14] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.

Dave Bittner: [00:25:23] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.

Dave Bittner: [00:25:29] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.