The SIP World Gets Shellshocked. What You Should Know.

The internet has changed the way we work, shop, connect, communicate, and entertain ourselves. For most of us, it represents an opportunity to simplify tasks and broaden our world. For a very few, it represents an opportunity to do harm. Usually, these bad actors are stopped by security protections deployed by system administrators, but once in a while, vulnerabilities are uncovered that might let someone with nefarious intent gain access to systems or hardware that they are not authorized to control. Shellshock is the name for a recently uncovered vulnerability of this type.

What is Shellshock?

Shellshock is the name given to a vulnerability in a Linux process called Bash.  Bash is an almost ubiquitous program that is present on just about every Linux-based computer and device in the world.  You may have used it if you’ve used the “command line” on Linux, Mac OS X or Android, all of which run a Bash shell. By exploiting this vulnerability, a perpetrator could run code directly on the attacked system, opening the door to all sorts of mayhem.

What Can I do to Protect Myself?

After the last well-known vulnerability, Heartbleed, was discovered, people were encouraged to change their passwords. Unfortunately, that won’t help against a Shellshock exploit. There actually isn’t much that most people can do in this case. System administrators, operating system and hardware vendors, and hosted services providers will need to apply software patches that address the problem.  Individuals should install any software updates related to web-enabled devices as soon as they are available. Google, Amazon, Apple, and other major vendors have already released updates. Mac hardware is particularly at risk, so users should pay careful attention to updates. Internet routers can also be at risk, so be sure to apply any updates if it isn’t done for you automatically.

How is SIP.US Protecting Clients?

Like many other SIP and VoIP providers, SIP.US does leverage Linux. To protect our clients, we have applied a Bash update to all of our servers.  There is no action needed on the part of our customers, but please do apply any updates you receive from the manufactures of hardware located on your site. We are not aware of any customers being impacted as a result of this vulnerability. Unfortunately, IP based communications systems are a favorite target of attackers, so we must remain vigilant.

We will continue to keep you updated. Rest assured that we are committed to safeguarding the security of your SIP.US solution.