VoIP Phones

Issue

Voice over IP telephony devices are especially sensitive to changes in network traffic as they require a steady stream of bandwidth to maintain distortion free audio. For this reason, many VoIP phones and devices can have adverse reactions to being scanned for vulnerabilities.

While Nodeware focuses on low impact vulnerability scanning policies, even the most basic of plugins can trigger a VoIP device to drop audio packets or go offline entirely. The factors that play into this behavior are detailed in the Underlying Causes section of this article.

We understand that these issues can be frustrating, but they do represent a vulnerability themselves–a rogue device could cause similar or worse disruptions, especially armed with a malicious payload. This is why we have both a Quick Fix, to solve immediate concerns, and a long term Solution to issues you may encounter with VoIP devices and Nodeware.

Quick Fix

The immediate solution to VoIP related issues is to pause affected VoIP devices in the Nodeware Dashboard.

It will be helpful to find the MAC address of one of the devices, either from a display or a sticker on the bottom of the device, if all your devices are from the same manufacturer. From the search bar on the Network view, enter the first 3 bytes of the MAC address in this format: 00:00:00. MAC addresses only contain the characters A-F and numbers.

Once you've located the devices, click on the MAC of the first device. On the right hand side of the device view, you will see a button labelled 'Pause Host'. Clicking this once will remove the device from regular vulnerability scans, while continuing to inventory the device.

Solution

Most current generation VoIP phones have available firmware updates and software patches that add protection against both innocuous and malicious scanning. This includes rate limiting for internal web-based services and filtering of unused ports and protocols. Check on the availability of updates on the manufacturer website or by contacting your managed VoIP services provider.

Once updates have been installed, reenable devices one at a time. This allows you to verify scanning will not disrupt normal operations before making a blanket change.

Underlying Causes

The underlying protocol of most VoIP traffic today was first published in 1996 and gained wide spread adoption by the early 2000s. While improvements and features have been added, such as HD voice, digital telephony is generally light on CPU resources. This can lead to two different but related issues–underpowered, outdated hardware and overpowered, repurposed hardware.

Older hardware designs at the chip-level leads to software that can become overwhelmed at the smallest of network request volume. The default Nodeware scan policy is particularly conscious of timing of requests, however they do assume some level of network stability on the device in order to provide quicker scan times.

On the other end of the spectrum, more powerful hardware in modern VoIP phones is often used to run additional services, such as web directories, voicemail access, and configuration pages. When scanned for vulnerabilities, the detection of web services engages web scanners in Nodeware that run a battery of tests to discern software version and patch level, as well as accessible admin or configuration pages. This type of scan is more intensive by nature and can also cause issues with processing power allotted to voice and SIP communication.

Having issues? Follow the steps above and if your issue is not resolved, please contact support with manufacturer and software versions for affected devices.