Page Comparison

Scroll export buttonscopecurrenttemplate-id0fa09813-8b86-460a-aa1d-ef450a80e9cequick-starttrueadd-on

Security is a top priority for Wildix and all the security features are built-in inside the product, which means the Wildix System is Secure By Design and security is not delegated to third party devices.

All Wildix products are regularly controlled for security breaches and upgrades are made available whenever any breaches are discovered in Wildix services or in third party libraries used by the system.

Security measures in place

We support the following security and encryption protocols and reporting tools:

• Single Sign-On with Active Directory, Google, Microsoft Office 365

• 2 Factor Authentication when using Google, Microsoft Office 365 Single Sign-On

• SHA-512 hashing + salt, for storing user passwords securely

• TLS encryption of HTTPS traffic to the PBX, screen sharing sessions, Wizyconf conferences

• SIP TLS - SIP signalling over TLS

• SRTP - SDES-AES 128 encryption of voice / audio, including Wizyconf conferences

• DTLS-SRTP - TLS encryption of voice / audio, including Wizyconf conferences

• VPN AES encrypted traffic between PBXs

• LDAP via TLS

• SMTP / IMAP / POP3 connections over TLS

• SSH console access

• Intrusion detection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)

• DoS protection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)

• SIP SBC built in

• Protection against cross-site request forgery (CSRF) attacks

• Requirement for secure passwords

• Support for Zabbix monitoring

• Report of intrusion attempts detected within the System

All these security measures are enabled by default on all Wildix Phones Phones and Media Gateways connected to the system. All Wildix Phones and Media Gateways cannot be accessed by using Master Passwords.

Check of certificates

PBX certificates and licenses are checked daily. The PBX TLS certificates are generated automatically and updated every two months if the PBX is reachable via the internet via https. In case the PBX is not reachable via internet, a certificate must be loaded manually and then updated before its expiration. The daily check makes sure that:

...

• The check is executed daily at a random time, this can be modified to run at a regular time or day of the week
• The connection is made to the server api.wildix.com; optionally via an http proxy (to the server wmp.wildix.com, in case WMS version is lower than 3.86)
• The protocol used is based on HTTPS with high level encryption, no incoming connection is needed for the system check to work; the protocol can also work through a customer’s web proxy
• The average data size exchanged on the connection is 2 Kb daily
• The system ignores a failed connection attempt for up to 14 days; it is possible to keep the system offline and reconnect it to the Internet at least once every two weeks
• After 14 days offline the system limits available features to guarantee the customer safety. An alert is given to the users of the system. To restore a full operational system it is sufficient to permit the outbound connection and sync licenses in WMS (Refresh via Internet option on the page Activation / Licenses)daily
• The system ignores a failed connection attempt for up to 14 days; it is possible to keep the system offline and reconnect it to the Internet at least once every two weeks
• After 14 days offline the system limits available features to guarantee the customer safety. An alert is given to the users of the system. To restore a full operational system it is sufficient to permit the outbound connection and sync licenses in WMS (Refresh via Internet option on the page Activation / Licenses)

2FA and location-based MFA security methods

Two-factor (2FA) and multi-factor authentications (MFA) are security mechanisms that require users to provide two or more means of identification before accessing a system or application. At Wildix, we support methods that include authentication via email, SMS, external applications, and location-based authentication:

• Email and SMS-based 2FA involve sending a unique code to user's email or mobile device. After receiving the code, users need to enter it for access to Collaboration
• External applications, such as Google Authenticator or Windows Phone Authenticator, generate a time-based one-time password (TOTP) that users enter to authenticate for access to Collaboration
• Location-based MFA works by using users' location to confirm their identity. This method relies on their physical location, determined by their IP address. If the IP address appears to be from an unfamiliar location, users need to confirm the IP address via email

The main difference between location-based MFA and other forms of 2FA is that the former is implemented at the system level, meaning it is enabled for the entire PBX. This means that all users who access the system are required to complete the location-based MFA process. 2FA via email, SMS, or external application is typically enabled by individual users on their own accounts. This means that users can choose to enable 2FA on their own accounts as an additional layer of security, and, if required, it can also be enforced by an admin via WMS.

WebRTC Security

Wildix Wizyconf videoconference, same as Wildix WebRTC phone in Collaboration use WebRTC for audio and video communications. WebRTC was born as open source project and is still under active development, however security measures were in place from the very beginning. WebRTC offers security "out-of-the-box" and in fact, this is one of the reasons why Wildix opted for WebRTC back in 2012 when we launched the Kite project and then, in 2015, we made it our technological choice, when we released the first WebRTC phone available directly in Collaboration web interface.

...

• WebRTC is not a plugin or a program installed on PC, security of WebRTC is contained directly within the browser (and, by the way, browser vendors take security seriously)
• No installation or upgrade of components is required, in case user's PC is infected by a virus or spyware, WebRTC communications are not affected by this
• If any security threat is found, it normally gets fixed very quickly and becomes available at once, user doesn't have to wait for it and install it, all WebRTC components are offered as part of a browser and they are updated as soon as the browser is updated (by the way, most modern browsers auto-update themselves)
• There is no way some website could use microphone and webcam without user's permission, since WebRTC application requires the user to explicitly give permission to use camera or microphone (in addition, WebRTC applications explicitly show to the user when the microphone or camera are being used)
• All media streams sent via WebRTC are encrypted using DTLS and SRTP making wiretapping, tampering and eavesdropping impossible (so-called "handshakes" are performed between the parties who are establishing a communication) 
• In case servers are used (e.g. TURN), they do not decode the application data layer and do not touch DTLS encryption, they cannot modify or get access to the information that is exchanged between the peers 

To learn more about WebRTC security:

• download download the white paper: https://drive.google.com/drive/folders/10GDeY0myvMlqDd5j9fDaM3NNkVXCBXUD?usp=sharing 
• read the blog post: https://blog.wildix.com/what-is-webrtc-and-is-it-safe/ 

Security vulnerabilities report

Vulnerabilities and questions about privacy must be communicated using the following email security@wildix.com, we have a Vulnerability Reward Bug Bounty Program in place. The reward will depend on the importance of the problem found. found. See Wildix Bug Bounty Program document for more details. 

Reasons to contact us at security@wildix.com:

• I’m experiencing a security problem with my Wildix account

• I want to report a technical security bug in a Wildix product (WMS, Collaboration, WMP, Kite, Wizyconf, WP, iOS / Android Wildix apps)

• I have a privacy doubt or a privacy-related question about Wildix products and services

Wildix Cloud and ISO 27001, 22301 compliance compliance 

Anchor
ISO27001 ISO27001

Wildix Cloud services are located in data centers that undergo ISO 27001 and ISO 22301 audits. These data centers share hosted facilities space with the world’s largest Internet companies. The geographic diversity of these locations act as an additional safeguard which minimizes the risk of service interruption due to natural disasters.

Privacy and GDPR Security

Note: Article 4 of the EU General Data Protection Regulation defines data controllers and data processors as below:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Both Wildix and all the System Integrators (Wildix Business Partners) who process data of customers residing in the European Union (regardless of whether the data processing takes place in the EU or not), are Data processors.

...

• Added CSRF attack protection via domain whitelist added in WMS Settings - PBX - Security: any WebAPI / PBX API integration will stop working if the domain is not added to the list (WMS-3985)

Frequently Asked Questions

High-level details

Access Control

...