A simple exploit has been discovered that allows an attacker to leverage the weak default passwords of a Voice over IP (VoIP) phone in order to eavesdrop on conversations.
Security consultant Paul Moore writes on his website that he first came up with the idea when he was asked to observe a company’s installation of several wireless access points and VoIP phones as well as provide recommendations on how to harden the access points’ security.
Despite the fact that the organization was fitting enterprise-grade Cisco, Snom and Ubiquiti UniFi equipment, the personnel with whom Moore was working agreed that there was no immediate need to change the VoIP phones’ default credentials.
“We’ll just use defaults, for now,” Moore quotes them to have said. “That password will do, for now.”
It was then that the security consultant decided to see just how insecure a VoIP phone’s default settings are.
Little did he know what surprise lay in store.
After resetting a Snom 320 VoIP phone back to its default factory settings, Moore found that the product was fitted with no authentication whatsoever - in other words, no password at all was required. Additionally, it would have accepted a single-character password as a replacement!
Some might argue that these weaknesses are offset if the VoIP phone is placed behind a firewall. But as Moore has recently revealed, that is simply not the case.
With the help of two other members of the security community, Per Thorsheim and Scott Helme, Moore demonstrated that all an attacker needs to do is trick the VoIP user into visiting a malicious website on which an exploit payload is hosted.
That’s essentially all it takes for an attacker to listen in to a user’s web phone conversations, as the video below shows:
As Moore explains, an attacker could even exploit the device to spy upon targets even when they are not using the phone:
“Unbeknownst to me, Per has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I’m looking at the phone, I wouldn’t know it’s dialing. What can the attacker do [next]? Virtually anything. Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially… use the device for covert surveillance.”
Given the number of VoIP phones in use today, Moore urges that if vendors must ship devices with “default” credentials, then they must “disable all other functionality until a suitably-secure password is set to replace it”.
He also cautions ordinary users and IT personnel to treat VoIP phones as just another computer with the same type of security vulnerabilities. Therefore, strong passwords, network segregation, and regular firmware updates are all highly recommended for added security.