No Jitter is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Is Your SBC a Security Breach Waiting to Happen?

Brian Jackson Alamy Stock Photo_DHHDPM.jpg

Image: Brian Jackson - Alamy Stock Photo
Over the last 18 months, companies have adopted advanced communications platforms and cloud-based architectures to enable remote work. At the same time, an increasing number of companies are moving to the cloud for telephony. The result of this migration has been the adoption of Session Border Controllers (SBCs) at the edge of enterprises. The SBC is designed to manage real-time flows and act as a security checkpoint at the edge of the enterprise. The need to deploy SBCs will rise rapidly for two reasons: companies will from traditional telephony trunking to SIP-based IP services, and companies will adopt UCaaS solutions, with accompanying SBC usage either from the UCaaS vendor or though some form of remote routing using enterprise premises SBCs or third party/carrier SBCs.
Since the SBC is generally exposed to the “open” Internet, it is a prime target for hackers and security breaches. A compromised SBC is a gateway for hackers to gain access the internal network and servers of an organization. An improperly configured and unsecured SBC can be penetrated in less than 20 minutes, giving attackers access to the internal network and servers.
Why SBC Security is Important
While the impact of a potential SBC breach may extend far beyond just the communications system, its impact is most evident in the rising cases of toll fraud. According to Berkley Asset Resources, a single toll-fraud incident can rack up $20,000 or more in toll charges . According to the Communications Fraud Control Association toll fraud totals $28 billion. As smaller organizations move to services where hey have SIP trunking, the liability for toll fraud can become significant.
According to a recent McAfee security report, usage of collaboration platforms such as Cisco WebEx, Slack, Microsoft Teams and Zoom increased over 600 percent during the pandemic, external attacks on cloud accounts multiplied sevenfold, and anomalous login attempts tripled from January 2020. Given this 600 percent increase in attacks on collaboration systems, it’s never been more critical to ensure that SBCs are protected from attacks, hacks, and breaches so they don’t end up endangering company-wide cybersecurity. As the hackers move from the core UCaaS platforms, their attention is rapidly turning to the distributed web of SBCs that are often vulnerable.
Assertion, a company focused to real-time communications security, recently released the “2021 State of SBC Security”, a first-of-its-kind report examining the major vulnerabilities in public SBC deployments that could be jeopardizing the security of the communication infrastructures.
The information in the report should be of concern to every IT department that uses, deploys, or owns an SBC. Even in cases where enterprises may outsource their SBC deployments to a carrier or other third party, a beach in those locations can impact the enterprise, both in reputation and revenue. In sum, means that any organization that owns, deploys, or uses an SBC would stand to benefit from the insights in the report.
For the report, the Assertion team studied 2,231 public SBCs by accessing the SBC public IP addresses. The entire study was performed using passive scanning of those public SBCs and using only public exposed data. The first step in the study was identifying devices that exposed SIP on their public addresses. Nearly 50 thousand such devices were identified using an initial data set from specialized IoT search engines.
Of these, 2231 were identified to be SBCs. For each SBC identified and analyzed, more than 40 data points were collected to define the levels of vulnerabilities. The data collected spanned SBC data from micro-enterprises, SMEs, and large enterprises from across 28 countries. (This data is available from Assertion on request).
The Sorry State of SBC Security
Focused on those 2231 SBCs, the report identified significant vulnerabilities in the current SBC deployment population. The results collected were both insightful and should be concerning to security managers. Here are the top five threat insights from the report:
  1. Almost half (49%) of the surveyed had unsecured configurations.
  2. Eighty-six percent of the certificates on SBCs were older than the security recommendation of 13 months. This means that five of the most popular browsers would reject these certificates for security reasons. Even worse, 70% of the certificates were older than 24 months, going against the security best practice of limiting certificate age to a maximum of two years.
  3. Twenty-seven percent of the SBCs tested were found to run vulnerable encryption protocols. Ten percent of the SBCs tested support TLS 1.1 or below, a highly vulnerable protocol that can be exploited using tools that cost less than 100 USD.
  4. Twenty-eight percent of SBCs had more than one services exposed to the Internet. SBCs were found to be running multiple services as against the recommended security practice of limiting services to a maximum of two.
  5. While HTTPS security has hardened information transactions, SIPS security still has major vulnerabilities. For example, only 27% of HTTPS systems support vulnerable ciphers, while 44% of SIPS systems still use them. Thirty-two percent of HTTPS systems have weak key strength, but nearly twice as many (68%) SIPS systems use weak security keys. This means that SBC/SIP systems are generally twice as vulnerable as HTTPS browsers and data.
The results of the study expose the gaps that exist in the state of SBC security today, and one thing is clear: there is much to be done before SBC VoIP security matches even the basic standards of data security.
The report has exposed the people-process-product gaps weakening SBC security today. It is evident that voice and video teams need better tools, more training, comprehensive monitoring, and more mature processes to bridge the current gaps and strengthen the VoIP infrastructure against attacks, hacks, and breaches.
What the State of SBC Security Means for Your Businesses
A properly configured and managed SBC is a powerful tool that can help organizations enable smooth external communication with strong VoIP security practices that protect from exploits and breaches.
The State of SBC Security report shows that there are significant potential security risks in the publicly-reviewed. Organizations need wake up to those risks. Companies should assess if their or their partners SBCs are configured to minimize the potential of an attack or breach. Beyond the immediacy of SBC security, enterprises should critically assess their current telecom security models and explore ways to extend security monitoring visibility to their SBCs.
For companies looking for a simple way to evaluate the state of their or their partners SBC security, Assertion has launched a 5-minute tool, the SBC Quick Scan that can help organizations get visibility into the exposed ports and services running on their SBCs in addition to an expert assessment of certificate security and TLS/SSL security. You can learn more about how to use this scan for free, here.