UC security: Your UC tools are not exempt from Heartbleed

The Heartbleed security vulnerability in OpenSSL compromised countless websites and network equipment, but voice and video are also vulnerable. Many UC products — including IP phones and video systems — used the vulnerable version of OpenSSL, which is forcing enterprises to reconsider their UC security efforts.

The Heartbleed security flaw, which affects certain versions of OpenSSL, allows hackers to obtain a limited portion of data from a connected client or server by sending malformed Transport Layer Security (TLS) Heartbeat. Hackers can’t use the Heartbleed vulnerability to tap phone calls, but they can obtain information –such as user accounts and passwords — which would provide ammunition for future attacks, said Michael Brandenburg, industry analyst at Mountain View, California-based Frost and Sullivan Inc.

“Before [Heartbleed] no one really understood how one piece of software or a couple lines of code could matter to an entire industry, but it is a widespread problem. UC tools are just as vulnerable as any other piece of equipment or software,” Brandenburg said.

UC security: affected IP phones, collaboration platforms and telepresence systems

The good news is that many vendors — both networking and UC alike — have stepped up in the wake of Heartbleed, trying to get word out to their customers about impacted products. They have been forthcoming about remediation efforts, Brandenburg said.

While none of its IP phones were specifically impacted, ShoreTel’s VPN Concentrator, as well as ShoreTel versions 14, 14.1 and 14.2 of HQ and DVS Servers — which provide virtualized instances of system administration, unified messaging and Enterprise Contact Center applications — were affected by Heartbleed. The company advised its customers using the VPN Concentrator to change all SSH passwords on the boxes and put the VPN Concentrator behind a firewall — if a firewall wasn’t in place already. In the meantime, ShoreTel is currently “working on a temporary hotfix which will disable the TLS Heartbeat,” the company said in a blog post. ShoreTel plans on adding back TLS Heartbeat support with its next release of its VPN Concentrator offering, which will contain the latest OpenSSL version, the company said.

Even though the ShoreTel HQ and DVS Server software were deemed vulnerable by the company, ShoreTel said the software “has a limited exposure due to not being exposed outside of the local area networks and therefore is considered low risk.” ShoreTel recently updated the software using an OpenSSL version not affected by the Heartbleed security flaw, the company said.

Four Cisco IP phones were confirmed vulnerable to Heartbleed, along with 24 telepresence systems and servers, several WebEx versions and Cisco Unified Communications Manager platforms. The company has released several “fixed” software versions and workarounds to help customers mitigate the risk of exploitation. Cisco is continually updating its Heartbleed security advisory as more patches and information become available.

Not every UC vendor was affected by the security flaw, however. Avaya UC products were determined to be cleared of the Heartbleed-related vulnerability because the company’s products use a different version of OpenSSL.

Heartbleed brings attention to UC security

While many enterprises must wait for their vendors to fix whatever Heartbleed flaws are in their UC tools, IT professionals should be conducting their own UC security audits, said Brad Casey, IT professional and tech writer. Checking traffic logs and examining all TLS responses for anomalies is something that enterprises can, and should be doing — aside from deploying patches their vendors have released — to find out if their UC tools have been hacked, Casey said.

Enterprises should also be working with their vendors, partners or system integrators consistently in order to ensure their products are up-to-date, said Gary Berzack, chief technology officer and chief operating officer for eTribeca, LLC, a New York-based systems integrator and Cisco and Avaya partner.

“The challenge is that a lot of customers are not engaging partners for ongoing maintenance to proactively plug these holes,” Berzack said. “Network administrators are identifying problems and performing their own updates, but they are probably not current because a lot of the time, voice just works,” he said.

Unlike with digital and analog phones, IT organizations can’t plug in and forget about IP phones. IP phones and other UC tools use the Internet instead of the traditional public switched telephone network — which carries inherent security risks and must be monitored. If nothing else, the Heartbleed security vulnerability highlights the importantance of keeping UC protected, Frost and Sullivan’s Brandenburg said. “Enterprises aren’t used to these kinds of problems with their voice platforms, especially,” he said. “This kind of problem never came up with their old PABX systems that never had to be updated — it’s an eye opener for UC managers.”

Enterprises simply can’t tell its employees not to use a mission-critical business tool — like a phone, Brandenburg said. “Admins are going to have to go through their inventory list and make sure every device is updated once [a vendor] releases a fix for it. Enterprises have to check the versions on every phone or UC platform by using a centralized management platform of doing it manually and make sure it’s being patched or appropriately addressed,” he said.