Sod it, let’s just go back to carrier pigeons

VoIP phones running default or weak passwords can be used for secret surveillance, independent security consultant Paul Moore warns.
Moore discovered that default passwords on enterprise grade Snom VoIP phones create a means for attackers to either make calls and even spy on incoming or outgoing conversations.

Moore came across the issue when he was called in by a client in order to make recommendations on how to improve security with a wireless access points and VoIP phone installation project, carried out by third-party contractors.
Subsequent experiments by Moore on a Snom 320 VoIP phone (running firmware version showed there was no authentication of the device’s set-up console, which was available even through corporate firewalls.
Exploitation would be possible simply by visiting a site containing a hostile JavaScript payload. Any attacker would be able to comprehensively own the device, according to Moore.
Moore called in password security experts Per Thorsheim and developer Scott Helme to help him set-up a proof-of-concept demo of the problem. Thorsheim (playing the part of an attacker) embedded the exploit on a site which he controls. Meanwhile, Moore was reading Thorsheim’s site while having a private conversation with Helme, via Skype.
“Unbeknownst to me, Per [Thorsheim] has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I’m looking at the phone, I wouldn’t know it’s dialling.” Moore explains.
The trio made a video of the exploit in action (below).

[embedded content]

Moore writes: “What can the attacker do? Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially… use the device for covert surveillance.”
El Reg asked Berlin-based Snom for comment on Moore’s findings but we’re yet to hear back. We’ll update this story as and when we hear more.
The UK-based security researcher reckons similar attacks are possible against other VoIP phones that ship with default login credentials or (worse still) no authentication at all.
“If you install, use or just find yourself sat next to one of these devices, just remember… it’s basically a PC, with all the security vulnerabilities associated with them,” Moore concludes. “Don’t assume it’s safe because it’s running as the manufacturer intended; seek professional advice.”
Moore suggests various countermeasures including using strong passwords (derived from a password manager) and applying network segmentation, as explained in greater depth in a blog post here.
An article called Are you the only one using your VoIP phone?, by Professor Alan Woodward of Surrey University discussing the security issues of using VoIP devices in greater depth can be found here. ®

Building secure multi-factor authentication