Hackers can target any device on your network that connects to the internet, including IP phones. IP phones have become just another point of access for a hacker. Credit card numbers, SS numbers , patient health details, bank account numbers, are all considered sensitive data. This data needs to be protected when transported across non-secure networks. According to the IETF, the primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. TLS is used by a wide variety of everyday applications, including email, secure web browsing, instant messaging and voice-over-IP (VOIP).
The Internet Engineering Task Force found vulnerabilities in TLS 1.0, and updated it to TLS 1.1 and finally TLS 1.2 to resolve many of these security issues.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
According to the PCI Security Standards Council, 30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS v1.2 is strongly encouraged in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
"While PCI DSS does not explicitly reference the use of VoIP, VoIP traffic that contains cardholder data is in scope for applicable PCI DSS controls, in the same way that other IP network traffic containing cardholder data would be. Therefore, VoIP traffic containing account data that is stored, processed or transmitted internally over an entity’s network, or transmitted externally by the entity, is in scope for applicable PCI DSS controls. ”
To be in compliance with PCI 3.1 requires commitment in two parts:
TLS 1.2 support
Ability to disable TLS 1.1, 1.0, SSL 3.0 and lower protocols
TLS 1.0 to 1.2 migration considerations:
TLS 1.2 introduces a set of crypto algorithms and cipher suites that could potentially not be supported in older platform hardware
Hardware acceleration is commonly used for encryption algorithms in most products which could pose challenges
To avoid hardware limitations, implementers could perform all crypto operations in software but this can introduce further performance concerns for older platforms (CPU overload, especially in older processors)
Older platforms might not meet the memory requirements needed for crypto algorithms and cipher suites with longer key sizes (used in TLS 1.2)
TLS Assessment Steps for Success
Inventory your UC and Collaboration applications and devices
Understand security requirements
Secure Mode, Secure SRST, Secure VXML, etc
Understand your security team's requirement to encrypt media, signaling traffic
Develop and budget for migration or replacement strategy
Plan for system upgrades with appropriate gateways, endpoints, and IP phones already in place
For most enterprise customers, this planning and upgrade activity will take at least a year
Cisco's current portfolio of IP phones and video endpoints meets these PCI requirements. The 8800 and 7800 model phones have replaced earlier versions which could not support the higher processor demands of running TLS 1.2 , nor did they support the ability to disable earlier TLS versions.
Cisco is gradually deprecating older non-TLS 1.2 compliant phones from Cisco Communication Manager to eliminate any risk of exposing sensitive data. It is important to budget for phone replacement as the majority of these older models will start to be removed from Communications Manager by the end of 2019 and fully deprecated by 2021.
With Collaboration System Release 12 (CSR 12) Cisco has addressed these security issues. See the following links for more details.