Data Loss , Fraud , Messaging

VoIP Phones: Eavesdropping Alert

Default Settings Pose Surveillance, Fraud Risks, Experts Warn
VoIP Phones: Eavesdropping Alert

Too many voice over IP devices being used in enterprise environments have well-known default passwords or no security at all, thus leaving organizations at risk from covert surveillance and toll-fraud scammers.

See Also: 2016 State of Threat Intelligence Study

That warning comes via information security consultant Paul Moore, who's part of consultancy Urity Group. He warns that many VoIP devices built by the likes of Cisco and Snom can be easily exploited with just a couple of lines of JavaScript - which he's declined to publish - if they use the devices' default security settings. Once attackers compromise a device, they can monitor or reroute all calls, surreptitiously activate microphones built into the device to listen to what's being said locally, or upload malicious firmware, amongst other potential attacks.

The proof-of-concept JavaScript attack exploit relies on the phone's IP address being known, Moore tells Information Security Media Group. "A real-world exploit - where the phone's IP isn't known - is closer to 20 lines with error checking, etc. The aim isn't to facilitate an attack, but to raise awareness of how simple one would be."

Neither Snom nor Cisco immediately responded to a request for comment.

"This should be something large organizations should be aware of as they rush to install VoIP-based phone systems," University of Surrey computer science professor Alan Woodward tells ISMG.

Proof-of-Concept VoIP Hack Bypasses Firewall

To demonstrate the risk posed by VoIP devices that use default credentials, Moore crafted a proof-of-concept attack against a Snom 320 VoIP phone running 8.7.5.13 firmware using "default" settings, which was located behind an enterprise firewall. The attack works by tricking a target who's using the same network into visiting a website that hosts the malicious JavaScript.

"For the attack to be successful, the PC must be able to communicate with the VoIP device ... which is effectively still possible over WAN/LAN or VLAN, depending on the network configuration," Moore says. "If the PC and phone are on different physical or virtual networks with no direct access to each other, the attack would fail."

A demonstration of how the "PwnPhone" attack against a Snom 320, with default settings, could be used to conduct covert surveillance or toll call fraud.

Moore says he has shared related vulnerability details with Snom, but notes that the attack would also work against some Cisco VoIP devices. Cisco has confirmed a related vulnerability - CVE-2015-0670 - affects some Cisco Small Business IP phones, but so far has released no patches.

One exploit caveat, Moore adds, is that while Snom devices can be set to silent mode - thus hiding any evidence of an in-progress attack - Cisco devices would light up, potentially giving the attack away. In addition, while the firmware in Snom devices can be remotely flashed, he doesn't believe that's possible with Cisco devices.

Danger by Default

Moore says he created the proof-of-concept exploit after recently advising a firm about how to better secure the access points and VoIP phones it deploys. Moore didn't name the firm he audited, but notes that it hasn't shied away from installing enterprise-grade gear from the likes of Cisco, Snom and Ubiquiti Networks. But in the rush to get devices deployed quickly and easily, he found an alarming IT ethos, which he summarizes accordingly: "We'll just use defaults, for now. That password will do, for now."

This isn't the first time that security experts have warned about the danger of using default Internet of Things device settings (see Router Hacks: Who's Responsible?). "A default configuration is only intended to restore a device to a 'default' state, such that a competent installer can configure it to meet the client's needs," Moore says. In the case of Snom devices, furthermore, the default state doesn't require any authentication to take control of the device. Instead, the device's initial configuration page flashes a small warning at the top: "HTTP Password not set!" But the configuration does not require that a password be set to continue, Moore says, adding that if a password does get set, the firmware will accept even a single character or number as a valid password.

Contrast those unsecured-by-default access controls with the potential damage. "What can the attacker do?" asks Moore. "Virtually anything. Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially ... use the device for covert surveillance."

Attacks Against Telephony Infrastructure

Attacks against enterprise telephony infrastructure date from the days of the pre-VoIP private branch exchange (PBX) networks installed inside enterprises. "I investigated a few crimes where the systems' answerphone was left in default and used to ring high cost [numbers]," says Ian Darlington, a retired police officer who's now part of cybersecurity investigation services firm CyberCSI, via Twitter.

Related fraud schemes can be tough to detect. "This type of premium rate hack is conducted almost exclusively out of hours, i.e. when no one is likely to be at their desk, so that the first time it might be noticed is when the company receives the bill," says Woodward - who also advises the EU's law enforcement intelligence agency, Europol, on cybersecurity - in a blog post. "They may be greedy but these criminals are not stupid. ... And of course, the hackers could be really nasty and record whatever audio is within range of the handset and charge you a premium rate for the privilege: espionage where the motive is obscured, even if it is detected."

Attackers can also potentially exploit devices using more than just default or missing access credentials. For example, a June 2015 study from cybersecurity consultancy Nettitude cataloged an increase in attacks against VoIP devices in the first three months of 2015, and not just against session initiation protocol (SIP), which is the communications protocol used for most VoIP calls, and which can handle voice, video and instant messaging via IP networks. Indeed, attackers were also targeting HTTP, Web proxies, telnet, RDP and other protocols that were active on the devices.

"One really has to wonder why some of these are running on a 'phone,'" Woodward says.

VoIP Attack: Defenses

To better lock down VoIP devices against attacks, Moore offers four recommendations:

  • Use strong passwords that get generated from - and stored in - a password manager;
  • Run phones only on segmented networks whenever possible, for example via a VLAN;
  • Restrict access to all device APIs, "even if they're only used internally," he says;
  • Watch for - and install - new firmware for devices on a regular basis, but beware in case upgrades revert the devices to unsecure "default" settings.

Shodan Risk

Because VoIP devices are typically connected to the public Internet, attackers can potentially index them using the search engine Shodan, which was designed to find specific types of Internet-connected devices and configurations. It offers the ability to find Internet-accessible VoIP devices running versions of firmware that have known vulnerabilities, such as using unsecure settings by default.

Woodward says the risks posed by unsecured VoIP devices are a reminder of the ways in which any Internet-connected "thing" might be misused. "There is an old adage that any microphone should be treated as live," he says. "Perhaps don't become that paranoid but please remember that if your desk phone is a VoIP phone then you need to treat it like a computer or a smartphone. It can be misappropriated by hackers under the right - or rather the wrong - conditions. Watch for security patches and make sure they are applied, and don't let your VoIP phone be the weak link in your security chain."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network