Security Policy at Wildix

This document provides information on built-in security features of the Wildix system, ISO compliance and GDPR.

Updated: July 2023

Permalink: https://wildix.atlassian.net/wiki/x/pQvOAQ

Security is a top priority for Wildix and all the security features are built-in inside the product, which means the Wildix System is Secure By Design and security is not delegated to third party devices.

All Wildix products are regularly controlled for security breaches and upgrades are made available whenever any breaches are discovered in Wildix services or in third party libraries used by the system.

Security measures in place

We support the following security and encryption protocols and reporting tools:

  • Single Sign-On with Active Directory, Google, Microsoft Office 365

  • 2 Factor Authentication when using Google, Microsoft Office 365 Single Sign-On

  • SHA-512 hashing + salt, for storing user passwords securely

  • TLS encryption of HTTPS traffic to the PBX, screen sharing sessions, Wizyconf conferences

  • SIP TLS - SIP signalling over TLS

  • SRTP - SDES-AES 128 encryption of voice / audio, including Wizyconf conferences

  • DTLS-SRTP - TLS encryption of voice / audio, including Wizyconf conferences

  • VPN AES encrypted traffic between PBXs

  • LDAP via TLS

  • SMTP / IMAP / POP3 connections over TLS

  • SSH console access

  • Intrusion detection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)

  • DoS protection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)

  • SIP SBC built in

  • Protection against cross-site request forgery (CSRF) attacks

  • Requirement for secure passwords

  • Support for Zabbix monitoring

  • Report of intrusion attempts detected within the System

All these security measures are enabled by default on all Wildix Phones and Media Gateways connected to the system. All Wildix Phones and Media Gateways cannot be accessed by using Master Passwords.

Check of certificates

PBX certificates and licenses are checked daily. The PBX TLS certificates are generated automatically and updated every two months if the PBX is reachable via the internet via https. In case the PBX is not reachable via internet, a certificate must be loaded manually and then updated before its expiration. The daily check makes sure that:

  • the system is running with valid certificates (this means that all the customers are communicating without the risk of their communications being intercepted)
  • the system has not been duplicated (this prevents the risk of a man-in-the-middle attack)
  • the software version running on the system is not known for security issues, otherwise an alert informs the system administrator that the system must be upgraded (failing to do so can lead to the system to disable certain features that were detected as the ones that could expose the system to risk)
  • the system is running within acceptable performance parameters (memory and CPU), otherwise an alert informs the system administrator that the underlying HW or Virtual environment must be improved

Technical details:

  • The check is executed daily at a random time, this can be modified to run at a regular time or day of the week
  • The connection is made to the server api.wildix.com; optionally via an http proxy
  • The protocol used is based on HTTPS with high level encryption, no incoming connection is needed for the system check to work; the protocol can also work through a customer’s web proxy
  • The average data size exchanged on the connection is 2 Kb daily
  • The system ignores a failed connection attempt for up to 14 days; it is possible to keep the system offline and reconnect it to the Internet at least once every two weeks
  • After 14 days offline the system limits available features to guarantee the customer safety. An alert is given to the users of the system. To restore a full operational system it is sufficient to permit the outbound connection and sync licenses in WMS (Refresh via Internet option on the page Activation / Licenses)

2FA and location-based MFA security methods

Two-factor (2FA) and multi-factor authentications (MFA) are security mechanisms that require users to provide two or more means of identification before accessing a system or application. At Wildix, we support methods that include authentication via email, SMS, external applications, and location-based authentication:

  • Email and SMS-based 2FA involve sending a unique code to user's email or mobile device. After receiving the code, users need to enter it for access to Collaboration
  • External applications, such as Google Authenticator or Windows Phone Authenticator, generate a time-based one-time password (TOTP) that users enter to authenticate for access to Collaboration
  • Location-based MFA works by using users' location to confirm their identity. This method relies on their physical location, determined by their IP address. If the IP address appears to be from an unfamiliar location, users need to confirm the IP address via email

The main difference between location-based MFA and other forms of 2FA is that the former is implemented at the system level, meaning it is enabled for the entire PBX. This means that all users who access the system are required to complete the location-based MFA process. 2FA via email, SMS, or external application is typically enabled by individual users on their own accounts. This means that users can choose to enable 2FA on their own accounts as an additional layer of security, and, if required, it can also be enforced by an admin via WMS.

WebRTC Security

Wildix Wizyconf videoconference, same as Wildix WebRTC phone in Collaboration use WebRTC for audio and video communications. WebRTC was born as open source project and is still under active development, however security measures were in place from the very beginning. WebRTC offers security "out-of-the-box" and in fact, this is one of the reasons why Wildix opted for WebRTC back in 2012 when we launched the Kite project and then, in 2015, we made it our technological choice, when we released the first WebRTC phone available directly in Collaboration web interface.

Here are several important points about WebRTC security: 

  • WebRTC is not a plugin or a program installed on PC, security of WebRTC is contained directly within the browser (and, by the way, browser vendors take security seriously)
  • No installation or upgrade of components is required, in case user's PC is infected by a virus or spyware, WebRTC communications are not affected by this
  • If any security threat is found, it normally gets fixed very quickly and becomes available at once, user doesn't have to wait for it and install it, all WebRTC components are offered as part of a browser and they are updated as soon as the browser is updated (by the way, most modern browsers auto-update themselves)
  • There is no way some website could use microphone and webcam without user's permission, since WebRTC application requires the user to explicitly give permission to use camera or microphone (in addition, WebRTC applications explicitly show to the user when the microphone or camera are being used)
  • All media streams sent via WebRTC are encrypted using DTLS and SRTP making wiretapping, tampering and eavesdropping impossible (so-called "handshakes" are performed between the parties who are establishing a communication) 
  • In case servers are used (e.g. TURN), they do not decode the application data layer and do not touch DTLS encryption, they cannot modify or get access to the information that is exchanged between the peers 

To learn more about WebRTC security:

Security vulnerabilities report

Vulnerabilities and questions about privacy must be communicated using the following email security@wildix.com, we have a Bug Bounty Program in place. The reward will depend on the importance of the problem found. See Wildix Bug Bounty Program document for more details. 

Reasons to contact us at security@wildix.com:

  • I’m experiencing a security problem with my Wildix account

  • I want to report a technical security bug in a Wildix product (WMS, Collaboration, WMP, Kite, Wizyconf, WP, iOS / Android Wildix apps)

  • I have a privacy doubt or a privacy-related question about Wildix products and services

Wildix Cloud and ISO 27001, 22301 compliance 

Wildix Cloud services are located in data centers that undergo ISO 27001 and ISO 22301 audits. These data centers share hosted facilities space with the world’s largest Internet companies. The geographic diversity of these locations act as an additional safeguard which minimizes the risk of service interruption due to natural disasters.

Privacy and GDPR Security

Note: Article 4 of the EU General Data Protection Regulation defines data controllers and data processors as below:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Both Wildix and all the System Integrators (Wildix Business Partners) who process data of customers residing in the European Union (regardless of whether the data processing takes place in the EU or not), are Data processors.

In regards to GDPR that comes in force in 25 May 2018, Wildix provides many features which are automatically active or that can be activated to make sure the services provided by Wildix and Wildix Business Partners comply with GDPR requirements:

  • SIP Proxy logging: information about new SIP registrations (from user, from name, user agent) is now logged with default debug level (WMS-4295)

  • Collaboration / WMS connections logging: information about connections is now written to syslog (remote IP, port, username, auth method, login / logout / login failed) (WMS-3986)

  • Added the possibility to use Remote syslog (Rsyslog) in addition to local syslog (WMS-3987)

    • Records containing personal data must be treated with caution, by introducing a remote syslog you make sure that in the event your system has been hacked, 1) a hacker doesn’t get access to the syslog 2) a hacker does not delete the syslog

  • All conference recordings and files are automatically deleted after 6 months (WMS-4347)

    • GDPR - Right to be forgotten

  • Added an option to auto-delete CDR, chats / Kite chats, voicemails and call recordings in WMS Settings -> PBX -> Call and chat history after a period of time (WMS-4090; WMS-4084)

    • GDPR - Right to be forgotten

  • Added the possibility to delete all contacts from the phonebook in WMS -> Users -> Phonebooks (WMS-3901)
    • GDPR - Right to be forgotten

  • Files shared via the system are automatically deleted after 6 months

    • GDPR - Right to be forgotten

  • Contacts imported from Outlook / Google are automatically deleted

    • GDPR - Right to be forgotten

  • Contacts, previously imported from an external database / backend via WMS are automatically deleted, if not received during the cron job (existed always, to implement - check the box “Remove existing contacts which are not received from the backend” in WMS - Users - Phonebooks - Import)

    • GDPR - Right to be forgotten

  • Added CSRF attack protection via domain whitelist added in WMS Settings - PBX - Security: any WebAPI / PBX API integration will stop working if the domain is not added to the list (WMS-3985)

Frequently Asked Questions

High-level details

QuestionsAnswers

What are the information flows within the system and between it and other services?

  • Data flows from a PBX to remote customer sites and flows to the operator if you have a SIP trunk.
  • Interconnection with other services: Ports used by Wildix services

What are the principle methods of transporting information? 

  • HTTP:80
  • HTTPS:443

Note: 80 and 443 ports can be changed.

Are the data shared with any other third parties?

No.

What firewalls or network control  measures are used to  protect the system/data?

SIP firewall in PBX and high  security by design with passwords and 2factors protection. Data  firewall remains important on  remote site.

Is the system ISO 27001 compliant?

Yes. See this chapter.


Access Control

QuestionsAnswers

Which access methods are available to access the system?

  • One super admin access
  • One strong password by user

Note: Details can be found in WMS Start Guide.

What system enforced password settings are active for users?  

  • Password Minimum length/ Complexity 
  • Password Change Interval
  • Lockout (after incorrect password entries)
  • Encrypted passwords
  • Recommended 12 characters, at least one capital letter, one special character, one number. Change every 6 months.
  • For the lockout, 3 attempts banned for 1 hour to start over. There is two-factor authentication on top of that


What additional measures are in place to secure administrator accounts. (e.g. stronger passwords or crypto keys required to access systems)

  • 1 unique access
  • Recommended 12 characters, at least one capital letter, one special character, one number

Is two-factor auth mandatory?

It can be mandatory, managed by ACL rules.

How does the system hand out the necessary privileges for users to gain the correct access to information? How does it prevent access to the wrong material?

Admin can limit/ allow access to certain PBX services and features by ACL rules.

How can unauthorised access be detected?

  • Visible in logs
  • Protection by automatic backups
  • Protection by ACL groups

What logs are kept of successful/ unsuccessful usage attempts?

System logs (including all attempts).


Disaster recovery and backups 

QuestionsAnswers
What method is used to secure archive historic material and data?

Automatic backups configuration.

Note: Consult WMS Start Guide for details.

How the system is restored (either from backup or a rebuild  from scratch) to a known working  state?
  • Possible restoration in other system with backup file
  • Possible failover 
What is the backup retention period?

Two weeks for a snapshot, the snapshots are scheduled weekly on Sunday evenings. 

PBX configuration backups can be taken daily / weekly / monthly from the PBX’s WMS interface.

Is there a testing processed for backups? How often do you test the restoration process?

Configuration backups can be restored through the WMS interface, these are tested regularly. 

A snapshot backup can also be restored through a request in critical instances via our SRE team.

How do you secure against:

  • Power outage
  • Single points of failure
  • Unavailability of critical staff
  • Unsatisfactory maintenance of equipment
  • Failure of equipment/  software

Wildix advices to activate warranty.



Data Privacy

QuestionsAnswers

What data does the system store?

Chat history and calls stats in CDR-View.
What User Generated Content does the system collect and/ or host?
  • Chat and calls history
  • Possibility for user to add contacts in phonebooks

Note: Chat, calls or phonebooks modification can be forbidden by ACL rules.

What security measures are in place to protect the data?

Encryption at rest is implemented with a separate key for each single tenant. It encrypts Block Object Storage. This means data could not be used in the case of someone having access to the Storage with elevated permissions.

What are the data retention time limits implemented by  Wildix with regards to personal data at stake?

The maximum retention period of any client system operational activity data that may contain personal information is 2 months. At the same time, we make every reasonable effort to clean up the data we are storing.

An exception is financial/billing data stored in a period according to the legal issues of the company's residential country.

How is the data archived and where? As the retention period of operational data is only 2 months, we don't archive it, using sharding to ensure integrity and fault tolerance.
How the data is destroyed when no longer needed and what data retention periods are observed?
  • Data can be destroyed when needed
  • Possible to remove data every months...
Do you have any modus operandi? 

No, but we use OWASP procedures as an approach to describe threat agents in threat modeling and risk rating procedures.

There are these procedures:


System Web Security 

QuestionsAnswers

Are users required to login? Is this login over a secure link?

Yes, users are required to login, login via HTTPS.

What are other data transfers/ connections between users' browsers and the system?

Check the doc Ports used by Wildix services.

From which solution stack does the system consist?

Check the doc Legal Notice PBX.

What is your approach for identifying applicable security patches and applying the system? 

Full security package with recurrent licences: Wildix Terms and Conditions.
Are contacts with relevant authorities (CNIL, CISA, NIST…) and special interest groups (OWASP, FIC, RSA, DEF CON…) maintained?Wildix is in touch with OWASP Foundation and uses the OWASP SAMM in development.

What processes do you have in place to minimise the risk of these issues according tOWASP list:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

The processes are present in Wildix Terms and Conditions.

How are security incidents managed and reported?

Wildix SRE Engineers perform continuous system monitoring 24/7, investigate crash reports, and intervene in case a problem with any client PBX has been revealed by the monitoring system. In case a problem has been revealed, the following actions are undertaken:

  • Identify the CoS of the issue; issues which have been identified as Critical are immediately taken into analysis, even if revealed outside Support Hours
  • Find all the information related to the PBX, including Serial, Country, Partner, information about the issue
  • Partner is contacted by creating a ticket or by phone
Is knowledge from previous incidents used to reduce the likelihood or impact of future incidents?Yes, review of previous security incidents is the basement to improve procedures.

Are any vulnerability scanning or penetration testing carried out?

Penetration tests are performed yearly and security reports summaries are released on request after signing an NDA to existing customers.

Do you implement daily Antivirus scans across all systems and a patch management procedure to patch vulnerabilities with a CVSS3 score at 4 or above without undue delay?We constantly apply security upgrades for all components within the Wildix PBX and components are very mature. By default, we do not allow elevated permissions on our PBXs and malicious software cannot be installed. Wildix PBXs are monitor 24/7 for malicious activity and are blocked by default through our inbuilt SBC and other security mechanisms.

How have you ensured the data links to the web server are adequate for traffic volumes anticipated? Have you tested under anticipated load?

  • Test with 5000 users / 600 concurrent calls
  • Wildix recommend 100 kb symmetric per call