IP freely? Your VoIP phone can become a covert spy tool...

Sod it, let's just go back to carrier pigeons

Updated VoIP phones running default or weak passwords can be used for secret surveillance, independent security consultant Paul Moore warns.

Moore said he'd discovered that default passwords on enterprise grade Snom VoIP phones create a means for attackers to either make calls and even spy on incoming or outgoing conversations.

Moore came across the issue when he was called in by a client in order to make recommendations on how to improve security with a wireless access points and VoIP phone installation project, carried out by third-party contractors.

Subsequent experiments by Moore on a Snom 320 VoIP phone (running firmware version showed there was no authentication of the device’s set-up console, which was available even through corporate firewalls.

Exploitation would be possible simply by visiting a site containing a hostile JavaScript payload. Any attacker would be able to comprehensively own the device, according to Moore.

Moore called in password security experts Per Thorsheim and developer Scott Helme to help him set-up a proof-of-concept demo of the problem. Thorsheim (playing the part of an attacker) embedded the exploit on a site which he controls. Meanwhile, Moore was reading Thorsheim's site while having a private conversation with Helme, via Skype.

“Unbeknownst to me, Per [Thorsheim] has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I'm looking at the phone, I wouldn't know it's dialling.” Moore explains.

The trio made a video of the exploit in action (below).

Moore writes: “What can the attacker do? Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially... use the device for covert surveillance.”

The UK-based security researcher reckons similar attacks are possible against other VoIP phones that ship with default login credentials or (worse still) no authentication at all.

“If you install, use or just find yourself sat next to one of these devices, just remember... it's basically a PC, with all the security vulnerabilities associated with them,” Moore concludes. “Don't assume it's safe because it's running as the manufacturer intended; seek professional advice.”

Moore suggests various countermeasures including using strong passwords (derived from a password manager) and applying network segmentation, as explained in greater depth in a blog post here.

An article called Are you the only one using your VoIP phone?, by Professor Alan Woodward of Surrey University discussing the security issues of using VoIP devices in greater depth can be found here. ®


Snom has been in touch since the publication of this story to say the tests had been done with an old version of its software, which was a beta. Moore told us that the outdated firmware was marked as the latest version, adding that he was going to redo the tests with the latest version of the software.

Updated on 17/02/16 at 10.05 UTC to add

The researchers (Moore and Thorsheim) have now tested the actual "latest" version, and confirmed that it too is vulnerable in exactly the same way. "There's a greater emphasis during the setup process to follow correct procedures, but again, they're not enforced," Moore told El Reg.

Snom disputed the significance of Moore's findings. A spokesman argued that all the researchers have established is there is no password on factory-reset versions of its VoIP phone, something it never denied.

Similar topics

Other stories you might like

  • Microsoft unveils Android apps for Windows 11 (for US users only)

    Windows Insiders get their hands on the Windows Subsystem for Android

    Microsoft has further teased the arrival of the Windows Subsystem for Android by detailing how the platform will work via a newly published document for Windows Insiders.

    The document, spotted by inveterate Microsoft prodder "WalkingCat" makes for interesting reading for developers keen to make their applications work in the Windows Subsystem for Android (WSA).

    WSA itself comprises the Android OS based on the Android Open Source Project 1.1 and, like the Windows Subsystem for Linux, runs in a virtual machine.

    Continue reading
  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading

Biting the hand that feeds IT © 1998–2021