VoIP phones can be turned into spying or money-making tools

A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security consultant Paul Moore.

In a less dangerous attack alternative, these compromised devices can also be made to covertly place calls to premium rate numbers operated by the attackers or their associates.

The problem

This vulnerability does not stem from a bug in the firmware, but from the fact that manufacturers of these phones often don’t require authentication to be set in the default configuration.

When they do, they often provide an easily guessable default set of credentials, and when users set up new passwords, they often accept too short passwords.

Unfortunately, those who install these devices for companies frequently forget to harden them against attacks (by setting up authentication or changing the default passwords), believing them to be relatively safe as they are behind a strong firewall.

Exploitation

With the help of two colleagues, Moore has demonstrated how easy it is to compromise a company’s VoIP phones, which are usually connected to same network that company computers are connected to.

The vulnerability is exploited via attack (JavaScript) code embedded in a site controlled by the attackers. Once the target visits the site using the company computer (e.g. is tricked into doing it through social engineering), the door is open for the attackers to take control of the VoIP phone located on the same network.

This allows the attackers to do anything they want with the phone: make, receive, and transfer calls, play recordings, upload new firmware, and turn the device into a covert spying tool.

Moore exploited the vulnerability on VoIP phones by German maker Snom, but says that they are by no means the only manufacturer whose devices are vulnerable to this kind of attack.

How to fix the problem

“If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no ‘default’ security… or permit the use of weak credentials which provide nothing more than a false sense of security,” he noted, and urged vendors to disable all other functionality until a suitably-secure password is set to replace it if they are forced to supply devices with “default” credentials.

“A default configuration is rarely a secure configuration,” he pointed out, and advised users and technicians tasked with setting up these devices to use strong passwords, network segregate the phones, restrict access to APIs, and regularly update firmware (and make sure to check whether the update forced a return to default settings).

While companies might still believe that nobody would go to the trouble of spying on their employees this way, “premium rate hacks” of VoIP phones are already happening and can lead to considerable losses. More details about these attacks can be found in this article by Professor Alan Woodward of Surrey University.

Don't miss