14 DAY TRIAL // An attacker can exploit VoIP phones, even behind a firewall, to hijack the target's telephone line to make calls and even spy on incoming or outgoing conversations, independent British security researcher Paul Moore reports.
As with any device these days, such as routers and IoT devices, VoIP phones come with a fully working configuration panel accessible via HTTP.
Asked to review the security measures employed during the installation of several wireless access points & VoIP phones inside a local company, Mr. Moore discovered that the Snom 320 VoIP phone wasn't using a password to protect its default configuration panel.
This meant that anyone who knew that a Snom VoIP phone was running inside a specific company could attempt to access the phone's settings panel, hoping the people who installed it failed to set up a password for the device.
Mr. Moore hacked a Snom VoIP phone to prove a point
Exactly this scenario Mr. Moore observed at the company he was auditing, with staff members postponing the task of changing the default passwords provided with these devices, which, in case they were present, were trivial combinations like "admin/admin."
When he confronted the crew, Mr. Moore was told that the devices would be behind a firewall, which in theory should protect them from cyber-attacks coming from the outside.
To his credit, Mr. Moore proved this myth wrong by staging a fake attack during which all he had to do was fool a staff member into accessing a malicious site that was hosting a specifically crafted exploit.
This granted him access to the VoIP phone's admin panel, where he was able to start calls to premium numbers, causing a (small) financial loss for the company, upload new firmware, but also listen in on conversations.
Many IT professionals still fail to change or set up default passwords
The problem of default credentials for various types of devices is a well-known one. Attackers have been using this weakness in the overall security state of various network equipment for years.
The recommended action for all IT professionals is to immediately change the default password of any device at the moment they set it up.
Mr. Moore's advice, on the other hand, is for the vendors themselves: "Vendors - If you must supply devices with 'default' credentials, disable all other functionality until a suitably-secure password is set to replace it."
A proof-of-concept of the attack scenario was recorded on video and can be viewed below.
