Updated VoIP phones running default or weak passwords can be used for secret surveillance, independent security consultant Paul Moore warns.
Moore said he'd discovered that default passwords on enterprise grade Snom VoIP phones create a means for attackers to either make calls and even spy on incoming or outgoing conversations.
Moore came across the issue when he was called in by a client in order to make recommendations on how to improve security with a wireless access points and VoIP phone installation project, carried out by third-party contractors.
Subsequent experiments by Moore on a Snom 320 VoIP phone (running firmware version 184.108.40.206) showed there was no authentication of the device’s set-up console, which was available even through corporate firewalls.
Moore called in password security experts Per Thorsheim and developer Scott Helme to help him set-up a proof-of-concept demo of the problem. Thorsheim (playing the part of an attacker) embedded the exploit on a site which he controls. Meanwhile, Moore was reading Thorsheim's site while having a private conversation with Helme, via Skype.
“Unbeknownst to me, Per [Thorsheim] has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I'm looking at the phone, I wouldn't know it's dialling.” Moore explains.
The trio made a video of the exploit in action (below).
Moore writes: “What can the attacker do? Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially... use the device for covert surveillance.”
The UK-based security researcher reckons similar attacks are possible against other VoIP phones that ship with default login credentials or (worse still) no authentication at all.
“If you install, use or just find yourself sat next to one of these devices, just remember... it's basically a PC, with all the security vulnerabilities associated with them,” Moore concludes. “Don't assume it's safe because it's running as the manufacturer intended; seek professional advice.”
Moore suggests various countermeasures including using strong passwords (derived from a password manager) and applying network segmentation, as explained in greater depth in a blog post here.
An article called Are you the only one using your VoIP phone?, by Professor Alan Woodward of Surrey University discussing the security issues of using VoIP devices in greater depth can be found here. ®
Snom has been in touch since the publication of this story to say the tests had been done with an old version of its software, which was a beta. Moore told us that the outdated firmware was marked as the latest version, adding that he was going to redo the tests with the latest version of the software.
Updated on 17/02/16 at 10.05 UTC to add
The researchers (Moore and Thorsheim) have now tested the actual "latest" version 220.127.116.11, and confirmed that it too is vulnerable in exactly the same way. "There's a greater emphasis during the setup process to follow correct procedures, but again, they're not enforced," Moore told El Reg.
Snom disputed the significance of Moore's findings. A spokesman argued that all the researchers have established is there is no password on factory-reset versions of its VoIP phone, something it never denied.