Austen Read-McFarland, Author at Wildix Blog

7 March 202231 March 2022

Russian Cyberattacks: The Most Secretive Security Risks, Uncovered

Today, the arms race has shifted from better ways of creating ever-more-dangerous bombs to better ways of bypassing digital security. Much like the nuclear focus from before, however, one of the main adversaries in this ring is Russia, whose efforts to infiltrate digital databases have extended everywhere from political organizations to power plants — all the while proving as effective as they are elusive.

Still, government intelligence from around the world has been able to track and identify many of these Russia-originating threats. In the process, these agencies have uncovered both the identities of these groups and their most common methodologies for cyberattacks.

Now that Russia has made physical incursions on the world, it can’t be understated how vital it is for digital communications experts to understand how these groups operate. To keep yourself safe, it’s all the more important you know what threats are out there.

Snake

One of the foremost figures in the Russia-based digital rogue’s gallery, Snake is a hacking collective believed to have been in operation since 2004. The association is considered by Germany’s Federal Office for the Protection of the Constitution (BfV) to be “the Holy Grail of espionage” and is given the highest possible ranking on the Advanced Persistent Threat (APT) index.

The first known attack by Snake was conducted in December 2017, when malware infecting the German Foreign Ministry began commanding their computers to contact spoofed websites. This allowed Snake to collect data from the ministry’s servers and access classified documentation.

Fortunately for investigators, however, the cyberattackers left two usernames in the hacked databases: “Vlad” and “Urik,” which despite their vagueness, proved to be enough of a lead to trace the attacks back to the Russian company Center-Inform. Since Center-Inform has known ties to Russia’s Federal Security Service (FSB), intelligence communities around the world have largely concluded that Snake operates as a Russian state-sponsored cyberattack group.

Both the German BfV and the Canadian signals intelligence agency CSE describe the malware created by Snake as “genius” in design. This praise mainly speaks to how effective the malware is at conducting actual cyberattacks: once it’s infected a computer, it takes very little effort or expertise for a hacker to use it for illicit data collection.

Of course, that’s only the case if devices get infected at all — but as other examples show, that initial infection doesn’t always come from a forced entry into systems.

Fancy Bear

If you paid much attention to American politics circa 2016, this name may already be familiar to you. Fancy Bear, also known as APT28 or Sofacy, exploded into the mainstream after being linked to the cyberattacks conducted on the Hillary Clinton presidential campaign, the Democratic National Committee and the Democratic Congressional Campaign Committee in 2016. However, the group is believed to be responsible for other attacks between 2014 and 2018 on high-profile entities, including the World Anti-Doping Agency, the Organization for the Prohibition of Chemical Weapons and the Spiez Swiss Chemicals Laboratory.

Fancy Bear’s targets aren’t limited to the United States and western Europe — or even to organizations. Other notable victims of the group’s cyberattacks include journalists from Russia, Ukraine and Moldova who wrote critically about Vladimir Putin. Between 2014 and 2016, amid Russian incursions on Ukraine and Crimea, cyberattacks associated with Fancy Bear even hit Ukrainian artillery units and rendered them inoperative.

The targets of Fancy Bear being largely those within Russian state interests, it’s easy to assume they’re associated with the Kremlin. But more definitively, investigations carried out by the cybersecurity firm CrowdStrike, the UK’s Foreign and Commonwealth Office and the US Special Counsel have linked Fancy Bear to the Russian government and Russia’s GRU intelligence agency.

What makes Fancy Bear stand out among cyberattackers is its methodology. The group typically obtains its data not through forced infiltration but through social engineering: It creates websites that deceive users into inputting confidential data, and many of its campaigns have been the result of phony communications that trick recipients into providing login credentials (known as “phishing” or, in the case of targeting one important person or account, “spear phishing”). Once targets click on these websites or input their credentials, Fancy Bear will infect a device with software that illicitly collects data from the device itself and the adjoining network.

Fancy Bear is quite effective at what it does, even capable of carrying out multiple hacking campaigns simultaneously. However, it’s far from the only Russia-associated group to use such techniques.

Cozy Bear

Another Russia-linked entity known to make heavy use of phishing is Cozy Bear, also called APT29 or The Dukes. In operation since at least 2008, Cozy Bear is believed to be associated with Russia’s Foreign Intelligence Service (SVR) and targets government networks throughout Europe, especially NATO member nations. Other targets of the group include think tanks and, reportedly, the Democratic National Committee in the United States.

Cozy Bear’s most impactful cyberattack came in 2020 with the massive SolarWinds data breach. SolarWinds, a technology firm in the United States, was covertly infiltrated by Cozy Bear affiliates to plant data-gathering malware in the company’s main system. This hack soon spread to thousands more victims as SolarWinds unknowingly distributed the altered code via a patch update — passing the exploit onto major customers, including Microsoft, Intel and the US Department of Defense.

Like Fancy Bear, Cozy Bear uses spear-phishing as its primary means of entering systems, with enormous campaigns attempting to solicit credentials from major figures in target organizations. The group is known for dogged persistence in these efforts as well and will typically launch fresh efforts against established targets if access is shut off.

Sandworm

While this group is often known by its Dune-referencing name, it’s also called Voodoo Bear in some circles (apparently, someone in cybersecurity quite enjoys an ursine naming convention). But whatever name the group is given, Sandworm ranks among the most infamous of Russia-linked cyberattackers.

Reportedly associated with GRU, the group carried out the single most extensive cyberattack in history with its NotPetya malware attacks, which in 2017 simultaneously hit France, Germany, Italy, Poland, the UK, the United States and especially Ukraine, costing the victims a combined $10 billion in damages.

In more recent efforts, Sandworm has developed malware called Cyclops Blink, which malicious agents have placed on network devices produced by the IT security vendor Watchguard. According to US intelligence agencies, Cyclops Blink is likely a successor to Sandworm’s own VPNFilter program; years earlier, VPNFilter infected network routers and spread to half a million machines, turning them into a global botnet controlled by Sandworm and, by extension, the GRU.

But, what was the ultimate goal of VPNFilter? Or, for that matter, of Cyclops Blink? Concerningly, we don’t actually know. As likely as it is that Sandworm has installed this malware for surveillance purposes, it’s just as possible that they’re setting up a digital infrastructure for covert Russia-originating communications. Similarly, the reason could be to lay the groundwork for a massive disruption of affected networks — it’s worth remembering, after all, that Sandworm was able to take down significant parts of Ukraine’s electrical grid in 2015.

The good news is, in the case of Cyclops Blink, Watchguard successfully patched the vulnerability Sandworm used for entry, and users can wipe the malware by clearing their machines and reinstalling the software. However, the example still illustrates that personal hardware can be made into unwitting tools for cyberattacks.

Best Practices & Lessons Learned

As shadowy and unstoppable as all of these groups want to be seen as, the fact remains that none of their methodologies are a guaranteed means of entry. Even when skilled cyberattackers lurk online, a combination of best security practices and smartly designed software is bound to keep you safe.

Chief among these best practices is to be educated against phishing attempts. This means not clicking suspicious links, not responding to spam emails and never replying to messages with your login credentials or account recovery info. Just by steering clear of shady websites and files, you’ll be keeping yourself fairly safe, but you should also consider further securing any important accounts with two-factor authentication or single sign-on.

In terms of system infrastructure, moving from on-premises hardware to the cloud will also offer significantly improved online protection. Consider how often cyberattackers have used malware and exploits in hardware to carry out their efforts: when a system moves to the cloud, this risk is largely mitigated, both because vulnerabilities are patched as soon as the associated hotfix is deployed and because there’s no longer any traditional “hardware” to infect.

More broadly speaking, of course, it still pays to be using a system that itself utilizes smart security protocols. As far as digital communications are concerned, Wildix distinguishes itself with a structure that’s fully secure by design thanks to a combination of technologies that protect users from infiltration and eavesdropping without VPNs, SBCs or other add-ons. You can read more about Wildix’s security practices in our free white paper.

However you choose to operate, doing so in full security has never been more crucial. As Russia encroaches on Ukraine, they’re likely to relaunch cyberattacks with renewed force — likely roping foreign hardware into their efforts in the process. If you’re looking for some way to work against these war efforts, it truly can start with understanding Russia’s most common methods of cyberattack and keeping your devices safe against them.

For more tips on cybersecurity and digital safety, subscribe to receive our magazine for free!

16 February 202230 August 2022

Women in Tech: Cyna Milinazzo, President and CEO of Liberty Communications

Cyna Milinazzo is the owner of Liberty Communications – a telecom provider in Colorado and proud Wildix partner.

I had the privilege to sit down with her to discuss her background in telecom services, her experience as a woman in the industry, and why she chose to partner with Wildix:

Cyna Milinazzo in Her Own Words

My introduction to the telecom industry came in 1985 when I began my career working for my brother’s telecom business. After a few years of managing his office, I expanded my knowledge in the industry by moving on to work for a business that specialized in underground cabling. Unbeknownst to me at the time, the experience I gained from this transition set the stage for pivotal business decisions I would make in the future.

Eventually, I found my way back to working with my family as I partnered with my three brothers to run our own telecom company, which also came with all of the inherent ups and downs of running a family business. Even though I had the least ownership of this company out of all of us, I always treated it as my very own knowing that someday I would love to break out on my own in the telecom industry.

In 2006 when I asked my husband to quit his electrician job and join me in starting a new company, I was thrilled when he actually took me up on my idea!

We created Liberty Electric, specializing in low voltage structured cabling as a subcontractor for many small telecom companies in the Denver Metro area.

Starting a new business wasn’t easy – there is always tremendous risk with a startup, and Liberty Electric wasn’t even profitable for the first year.

It was a scary time financially as I continued working with my brothers while my independent cabling company grew.

I finally decided to take the leap in 2011 and left the family business to devote all my time to my own company.

In order to incorporate my expertise and provide our customers with comprehensive solutions, I expanded Liberty Electric by bringing in telecom services and updating the company name to Liberty Communications. My business has been flourishing ever since, and I’ve never looked back!

A year and a half ago when Wildix approached me, at first I didn’t see a need to add Wildix to our array of products. It has always been a challenge to gain more market share without losing the “boutique” approach we offer our customers, and I’ve always been committed to remaining focused on this integral aspect of our business model.

I had begun to notice a shift in the market at that time, though, and I was just starting to realize that I needed to be thinking about ways to differentiate Liberty Communications from others in our field.

Although we have been courted by many different vendors over the years, we’ve always been very selective about who we decide to take on.

After learning more about Wildix we were confident that you’re one of the good ones – I am so happy that Liberty Communications made the decision to add you as a vendor.

I envision Wildix as our vehicle for achieving a leading role in the Colorado market without losing what makes us special.

Being a woman in a traditionally male-dominated workforce has its challenges – finding the right network to move beyond plateaus can be tough.

Twenty-some years ago it was quite a challenge for a woman to gain respect in male-dominated industries such as IT or construction; today, challenges still exist but are often more subtle.

When starting out in the telecom industry, I let myself be somewhat shielded behind my brothers as I navigated the system and learned invaluable lessons. I’ve been ignored by owners and contractors, excluded from construction meetings, and dismissed when trying to set sales calls.

After years of persistence, I’ve gained much more knowledge and distinction in the industry, and am now well known for my expertise and enthusiasm.

I’ve now been in the industry for so long, other telecom companies contact us for help when they need a hand – everyone in the area knows that Liberty Communications is there to help, without a second thought, and that we deliver quality products and reliable services.

I could have let challenging situations scare me off, but I embrace the fact that some say I’m sort of a “bull-dog” in male-dominated industries.

I even now also own a roofing company serving clients in the Denver Metro area as well. And I’m proud to have developed Liberty Communications as a company of go-getting, powerful women who support and inspire each other to be the best they can be every day.

On top of owning small businesses, I’m a wife, a mom, and a caregiver for my own mother. Finding my work-life balance can be difficult, as it is for many women, but at the end of the day I love to work, and this business is my passion.

I’m living the life I want and am lucky enough to not only have a supportive family circle behind me but to also be surrounded by hard-working, inspiring men and women every day at Liberty Communications.

Update

Since the original publication of this article, Cyna was chosen as one of the 2021 CRN Women of the Channel. With unprecedented circumstances causing massive overhauls in the industry, CRN focused on honoring women who lead their companies through times that were anything but normal.

“During the pandemic, Milinazzo’s role was not only to maintain growth goals but provide greater value and application of the company’s technologies. She sustained business in the channel and grew it 20% over the previous year.”

1 February 20225 February 2024

Are Your Desk Phones Listening In On You?

Yealink vulnerabilities show how that in UCC, security matters

For better or for worse, data collection is something many of us have become accustomed to. From cookies on webpages to search terms being tracked, our activity over the internet is normally monitored to some degree, even to the point of general acceptance.

That said, as much as we’re used to that level of web tracking, we would be shocked to learn of similar tracking happening over business telephone systems. After all, it’s highly unusual for office phones to be actively gathering data on us, in particular because for most businesses, voice calls are where highly confidential knowledge is exchanged.

So, what happens if it becomes clear your phone system has the capability of actively listening in on you?

Worse, what if you can’t even know for sure who’s on the other end of the line?

Security Concerns from Yealink

These questions are especially relevant for business owners now in the wake of a troubling report regarding phones by the Chinese-based vendor Yealink, especially their T54W devices, which raised concerns about the privacy and security of the company’s hardware.

On September 28 of last year, US Senator Chris Van Hollen (D-Md) filed a letter to the US Department of Commerce referring to a report conducted by the consulting firm Chain Security. In that referenced report, Chain Security noted numerous security flaws in Yealink devices, along with numerous functionalities that appear to intentionally gather customer data.

More worrying still, Chain Security’s report concluded it is “highly likely” that Yealink is sharing customer information directly with the Chinese government, especially through its hardware.

This data gathering appears to occur primarily through how Yealink phones interface with company networks and PCs. Namely, Yealink devices make use of a device management platform (DMP) to connect to programs running on the PC. In most circumstances, this would be perfectly normal for the vast majority of VoIP hardware that connects to a PC-based system.

What’s far less normal, and even outright alarming, is the fact that the Yealink DMP is then capable of recording voice calls and even tracking web history on that connected PC — both without the end-user’s knowledge.

Potential Tracking Components

According to the Chain Security report, the Yealink DMP “collects and retains the WAN IP” of the end-user’s device, and can log any web traffic from devices connected to it. This is in addition to how the DMP collects call records conducted either on the phone or any devices connected to it.

All this is worth noting in particular because the Yealink DMP can be operated by a remote Yealink employee, who can use the platform to access any collected data, be that IP addresses, web traffic or entire call recordings.

More concerning still, using the Yealink DMP, remote Yealink employees can at will enable recording on an active call and retain the recording afterwards

This access doesn’t appear to be used by Yealink on an occasional basis, either. Chain Security also notes that during “normal operations” Yealink phones communicate with Chinese-controlled AliCloud servers, suggesting potential control and interception of the exact kind described above.

Metaphorically speaking, none of this may be an actual fire, but the monitoring activity combined with the server contact certainly make for a lot of smoke. (Things get even more suspicious as we consider Yealink’s direct and long-established ties to the Chinese government and their continued data sharing with them, Chain Security likewise reports.)

Broader Security Concerns

Beyond these problems, Yealink devices in question appear to have just plain obvious security flaws — ones which may compromise an entire company server.

Chain Security points out that Yealink phones are “pre-configured to accept credentials for connection and access to the device from 187 ‘trusted’ digital certificate authorities.” In other words, entirely unknown to the end-user, Yealink devices may be accessed by an incredible amount of additional entities, meaning if any such users are compromised they’ll have easy access to Yealink end-users’ networks.

But hackers may not even need to be a “trusted” authority anyway. Unknown entry to the device is further blown open by its inability to protect against brute force login attempts, meaning hackers are fully capable of accessing it simply by guessing username/password combinations.

As if these factors weren’t bad enough, the Yealink devices lack industry-standard digital signatures to authenticate valid changes to firmware. As a result, if external actors gain access to the phones, they can instantly overwrite current software on them so long as the new firmware is compatible with the hardware.

This easily means a hacker can install firmware that surveys not just what’s recorded on the Yealink phone (using the aforementioned data collection it performs), but even activity across the entire company network.

The Bottom Line on Yealink Devices

What this leaves us with is a phone that can record calls, IP address and web activity — all at any time and without the end-user’s knowledge — and communicate that data elsewhere.

While it’s easy or even proactive to assume the data will end up at Yealink or even the Chinese government, it’s just as possible that entirely unknown agents can exploit the vulnerabilities in these phones for their own ends. Either way, the result is far less than desirable for any business.

By all accounts, even in an age where data collection is to be expected, the security architecture in Yealink phones allows for far more surveillance than any business should feel comfortable with.

Bigger Takeaways

While this should certainly serve as a warning for anyone interested in Yealink phones in particular, we can also draw larger security takeaways here.

It should be first noted that using this example to cast doubt on all Chinese-produced hardware would be ridiculous; after all, an enormous number of devices are produced in China and have nowhere near these issues.

The actual bigger questions are those over security and trust in general. As this example shows, communications hardware has incredible potential to intrude upon your privacy, even to the point of acting as a covert surveillance device right on your desk.

To keep yourself secure, it’s vital that you be able to trust the manufacturer of VoIP devices. The vendor needs to be able to demonstrate not just effective security measures, but a willingness to give up their own control of devices outside applying necessary software updates.

When considering a new vendor, then, there are plenty of important questions to ask: for example, how much is your vendor telling you about the security parameters in their hardware? What role does the vendor play in managing the device after it’s sold? What ties does your vendor have to other entities that might want your business’s information?

Above all, if a vendor is holding onto things like permanent DMP access, it should instantly raise a red flag. Capabilities for remote control in this manner are all but certainly going to be either poor security design at best, or active attempts at datamining at worst.

To keep your business fully secure, it’s crucial to weigh these factors such as much as any other security points. If you can’t trust your vendor to protect your own privacy, after all, what good are they as a technology partner? And if they’re clearly sharing data with a government involved in information warfare, the situation only becomes more problematic.

When you weigh your options for hardware, then, don’t just consider security in broad terms. Just as vital is to consider how much trust you can put in the vendor to keep you safe — or, more important still, whether the vendor itself is a potential security threat.

To see how Wildix designs security in our UCC systems, check out our free white paper.

For more updates on security in the UCC industry, subscribe to receive our magazine for free!

6 January 202212 February 2024

E911 Regulations: What MSPs Need to Know

Explaining the US emergency service laws your phone systems must follow

Adhering to regulations is crucial for any business, and telephony providers are no different. PBX installations in particular, on top of adhering to customer expectations, must also follow legal standards in order to steer clear of fines, litigation and other significant penalties.

In the US, some of the most important telephony regulations are those around Enhanced 911, or E911. These are crucial to know about because they don’t simply regulate how you sell PBXs or how they may be used — instead, they specify exactly how dialing emergency numbers must work for a multi-line telephone system (MLTS).

If you plan at any point on selling an MLTS in the United States, these are the main points of E911 regulations you need to know.

What Are E911 regulations?

Like the name implies, E911 regulations require that any time 911 is dialed, the call itself communicates additional information to emergency dispatchers.

In short, E911 laws require that every 911 call must also convey:

- A callback number for emergency services (either for the device placing the call or a central agent on the site of the MLTS)
- The location of the device that called 911

These requirements were put in place by two federal US laws: Kari’s Law and Ray Baum’s Act.

Let’s dive into both of them now for more detail on the technical requirements behind E911.

The E911 Laws

1. Kari’s Law

Adopted by the Federal Communications Committee in 2019, Kari’s Law establishes two main requirements for 911 calls.

The first requires that emergency services are immediately contacted when “911” is dialed on an MLTS device, without having to dial for an external call. In other words, the dialer must not have to take an additional step before sending the emergency alert: simply entering “911” on the device must be enough to contact emergency dispatchers.

The second part of this law is more complex. This section specifies that any time a 911 call is dialed through an MLTS, a notification is simultaneously sent to a “central operator” who is on the same premises as the MLTS.

This “operator” can be most anything: a front desk, a security office, the IT department or similar. The agent just has to be a person who’s on premises and will actually see the alert.

Likewise, there’s room for you to decide what the notification is. To meet legal requirements, the alert can be an email, a text message, a screen alert or any other electronic message. It simply has to be sent right as the PBX issues a 911 call, and it must be prominent enough that the operator on the premises is unlikely to miss it.

So, what exactly should this notification say? Here, requirements become stricter.

Per Kari’s Law, this notification must convey, at a minimum, the following information:

- The fact that a 911 call has been made
- A valid callback number for emergency services
- Details on the caller’s location, which the MLTS also sends to the public safety answering point (PSAP) as part of the 911 call

It’s worth noting that points 2 and 3 can, in some instances, be waived. According to the law, if it is “technically infeasible” to add this information to the notification, it isn’t required to provide it.

However, if you can’t provide that info, you will have to prove that it’s “infeasible” for the system to provide it, which of course will be a complicated process. All in all, it’s best to simply include that information from the start to make things move most smoothly.

2. Ray Baum’s Act

While not entirely about 911 calls, Ray Baum’s Act features a portion that applies to E911 considerations.

According to Section 506 of this act, all 911 calls must include a “dispatchable location” embedded in the call (regardless of what device they originate from).

“Dispatchable location” here means a specific street address, plus any additional information required to pinpoint the exact calling location, like apartment number or suite number. In short, the call must also carry data specifying exactly where emergency dispatchers should go.

This ties into point 3 from the second part of Kari’s Law mentioned above, and the good news is by covering this requirement from Ray Baum’s Act, your phone system will fulfill that part of Kari’s Law as well. It’s simply worth mentioning because by not having it, you run the risk of violating two regulations.

It’s also important to note that all devices, both fixed and unfixed, must be in compliance with Ray Baum’s Act by January 6th, 2022. So if by early 2022, your unfixed devices can’t report a dispatchable location to 911 operators, you will be considered in violation of this law.

So in brief …

Here’s a quick overview of what your phone system needs to meet E911 regulations:

If you’ve installed an MLTS, each phone on the PBX must reach emergency services immediately just by dialing “911” (not requiring the dialer first push a key to make an outbound call).
Any time 911 is dialed, the MLTS must also send a prominent notification to a central operator on site, and the notification must include:
- The fact that a 911 call has been made
- A callback number that emergency services can reach
- Information on the 911 caller’s location
Any system must also tell emergency services the street address (and, if necessary, apartment or room number) from which the call was made.

What happens if you’re not compliant?

If you install an MLTS without meeting the three requirements above (or a phone system that doesn’t fulfill point number 3), your business will become liable under federal law. (It should go without saying this isn’t a preferred state to be in.)

Specifically, businesses that don’t adhere to these laws face fines of up to $10,000, with a further fine of $500 each additional day that you are not in compliance.

For US telephony providers, staying in business all but requires fulfilling these federal regulations.

How do you ensure compliance?

Obviously, there are two ways to stay in compliance with these laws: either have a system that’s compliant from the beginning or alter a noncompliant PBX to become compliant.

If you’re taking that latter option, the good news is that creating compliance with Kari’s Law is fairly straightforward. As any technician can tell you, removing external dialing requirements from 911 calls is not a hard exception to add to a dialplan. Likewise, it’s not much of a hassle to make an MLTS send the required notification any time 911 is dialed from it.

However, the bad news is that guaranteeing compliance with Ray Baum’s Act is nearly impossible without support from your vendor.

If your devices don’t already have capabilities for location reporting (or else don’t communicate this), adding in locations threatens to become a taxing process. Obviously, it will mean you’ll need to input the information yourself — but depending on your PBX’s setup and your vendor’s degree of involvement, this may turn into hours of manually adding the locations for each device into your system.

Consider also that this process is only for fixed devices. For unfixed devices, manually inputting locations will be outright unachievable — since, of course, users might move the devices from where you said they were.

Ideally, if your devices can’t provide location details upfront, your vendor will give you some easier way of adding in this info or even help with the process. If not, you’ll be stuck singlehandedly putting additional work into a system you no doubt already went through a lot of hassle to simply sell.

The easier alternative, of course, is to just use a system that’s compliant with these regulations to begin with and is supported by its vendor when it comes to inputting additional information.

What’s a good compliant system?

For a PBX that’s capable of acting as an MLTS and more — all while being fully in line with Kari’s Law, Ray Baum’s Act and other E911 regulations — an excellent choice is Wildix.

For starters, every Wildix system is ready-made to easily comply with Kari’s Law. By default, Wildix PBXs do not require a prefix to dial an external line.

So long as “Prefix for external line” is empty, your Wildix PBX will comply with the first part of Kari’s Law.

The Wildix system can also be set up to send the required emergency notification to any call group the end-user requests, as outlined in Wildix technical documentation.

So, what about the more difficult part, conveying a dispatchable location? Here too, the Wildix system features full compliance with little difficulty on the MSP’s part.

With the use of CLASSOUND, Wildix’s premier voice system for cloud-based international calls, specific geographic locations can be bound directly to fixed phones, not simply to the devices’ DIDs. For unfixed devices, Wildix Collaboration, Wildix’s main calling app, automatically tracks location through a built-in geolocation feature.

How E911 reporting is conveyed through the Wildix system

As important as it is to be in compliance with federal law, getting there shouldn’t have to be a painstaking process. With Wildix, MSPs have full legal compliance as the factory default on their systems and the full backing of their vendor in achieving compliance on any installation.

For more tips on managing your PBX, subscribe to receive our magazine for free!

2 August 202125 February 2022

WebRTC, a Critical Component of VoIP and UCC

Why your communications system needs this pivotal web technology

The effectiveness of any unified communications and collaboration solution depends on the working parts inside it. As your organization’s main data channel to customers and colleagues, your VoIP system must have smart technological components to function safely and efficiently.

But, how do you determine something so important, especially if you don’t have much detailed technical knowledge? One of the easiest ways is to check if the solution uses WebRTC, a highly effective component for VoIP technology.

For the biggest reasons why, this post will take you on a deep dive into WebRTC and how it works.

What Is WebRTC?

Short for “Web Real-Time Communications,” WebRTC is an internet technology that was created in 2011. The technology itself is a collection of Javascript APIs, or functions and commands created from existing code in web browsers. Its purpose is to collect data input by users, then transfer that information directly to a contacted second party.

Notably, WebRTC is open source, meaning anyone can add to it, develop it or use it entirely for free. All this is great news for developers because WebRTC is immensely helpful for creating a wide variety of web communication tools.

The primary reason why is its usability. As previously said, WebRTC allows for instant data collection and transfers, making it a highly effective way to establish online communications. While it’s primarily known for voice and video streaming, it can also exchange other data such as text or files.

However, what’s especially groundbreaking about WebRTC is that it works entirely as its own web component. Regardless of whether you’re sending or receiving information, this technology will always handle the operation itself, without additional plugins. This means that when an application uses WebRTC, it will never need additional installs to perform real-time communications.

Another significant advantage is that WebRTC handles data transfers through peer-to-peer connections. Rather than going to a server, the information streams directly from one user to the other. This further increases its ease in development and usability by simplifying the communications process as a whole.

WebRTC for Browser Applications

Unsurprisingly, then, one of the biggest advantages of WebRTC is enabling VoIP solutions or even video calling applications to run directly in the browser.

Put another way, a significant number of UCC and VoIP services have to be downloaded and installed to operate. However, this can often create a less intuitive user experience. If you only use UCC for the occasional video meeting, it can be annoying to launch an additional app every day. Alternatively, if you work within your browser, switching from it to a separate program wastes time and decreases focus.

But with WebRTC, users don’t have to bother with these tedious processes. The nature of this technology means that all your communications happen right in the browser, all as soon as you log in.

Because WebRTC works through fundamental web coding, this convenience extends to all major browsers as well. Google Chrome readily accepts all WebRTC content, as do Mozilla Firefox, Safari and Microsoft Edge. The same goes for mobile browsers, meaning you don’t need a separate mobile app to use these tools on the go.

WebRTC and security

Considering how frequently cyberattacks target UCC systems, it’s especially convenient that WebRTC features plenty of built-in security measures.

Notably, WebRTC establishes its communications through direct peer-to-peer connections. This means that instead of sending you to a third-party server, you are patched directly to the other user. As a result, your communications are accessed by exactly two entities: yourself, and the person you’re talking to. At no point in the process is your data accessed by an additional piece of hardware or technicians.

This is vitally important for security because it minimizes the stages during which your data can be illicitly accessed. If your communications are routed to an external server, hackers may be able to breach it and intercept your data there. If your connection is accessed by techs or data is offloaded, it can be picked up by hackers there as well. By eliminating these vulnerable points, WebRTC limits how hackers can access your data and keeps your communications far more secure.

However, even without servers, data can still theoretically be hacked during its peer-to-peer transfer between applications. Fortunately, WebRTC includes built-in measures to prevent this.

WebRTC also features data encryption, or protocols that encode your data to prevent illicit access. Two measures — Datagram Transport Layer Security (DTLS) and Secure Real-Time Protocol (SRTP) — work in tandem for this process.

As a result, your data is encrypted with codes that are:

- Highly complex
- Unique to this one communications session
- Verified at the beginning of the session as unique and complex
- Never decrypted before reaching the users’ application

These factors all ensure that there is a minimal chance of hackers gaining access to your data. Even if they intercept it, they will have virtually no ability to decode and consequently use it.

WebRTC also provides built-in protections against intrusions by being hosted entirely within your browser. Since WebRTC doesn’t need any installations to run, it doesn’t actually exist on any files in your computer. This means that even if hackers remotely access your device, they will have no way to access your actual communications system.

Finally, because WebRTC runs directly in the browser, it is automatically updated every time your browser gets an update. This means getting the latest version of the tool just takes re-launching your browser, further streamlining overall usability.

WebRTC and Wildix

All these reasons are why Wildix is built primarily on WebRTC, and how Wildix gains tremendous security and ease of use.

Thanks to WebRTC, Wildix can launch a full suite of communications tools right in your browser. With no additional downloads, you’ll have access to chat, voice calls, video conferences and even full-on webinars.

As for security, Wildix gains additional inherent protection thanks to its foundation on WebRTC technology. With direct peer-to-peer connections and innate encryption for all your data, Wildix achieves total data security without sacrificing usability.

With highly effective, enterprise-grade capabilities across the board, Wildix makes the most of WebRTC for a truly effective UCC solution. As far as modern communications systems go, it easily leads in the market by utilizing and even expanding on this key Open Source technology.

For more insight on UCC technology, subscribe to receive our magazine for free!