Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.
UK-based security consultant Paul Moore was recently hired to observe the installation of VoIP phones in a company and noticed a worrying practice that is likely present in many homes and organizations — the default settings, including default passwords, are not changed after the devices are installed.
The problem, as Moore and other experts have pointed out, is that the default configuration is rarely secure. In many cases, the administration interface of VoIP phones can be accessed with a default password, which is usually very weak (e.g. “admin”), or without any sort of authentication.
Moore conducted some experiments on a VoIP phone from Germany-based manufacturer SnomTechnology. He demonstrated that an attacker who can trick a targeted user into visiting a malicious website could take over a device running the default setup.
The researcher has showed how an attacker can use the hijacked phone to silently make calls to premium numbers (i.e. the speaker is disabled and the victim only sees that a call is being made if they look at the phone’s screen). A malicious hacker could also intercept and transfer calls, play recordings, upload their own firmware, and use the device for covert surveillance.
While Moore conducted his experiments on a Snom phone, the expert noted that devices from Cisco and other vendors can also be vulnerable.
“If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no "default" security... or permit the use of weak credentials which provide nothing more than a false sense of security,” Moore said. “It has to stop.”
Professor Alan Woodward of Surrey University also published a blog post on the topic of hacking VoIP phones and pointed out that attackers can use the Shodan search engine and even Google to identify potentially vulnerable devices.
As Woodward has highlighted, malicious actors can also exploit vulnerabilities specific to each model in order to compromise a device. For example, over the past years, Cisco has published several advisories detailing flaws in its VoIP products.
“There is an old adage that any microphone should be treated as live. Perhaps don't become that paranoid but please remember that if your desk phone is a VOIP phone then you need to treat it like a computer or a smart phone. It can be misappropriated by a hacker under the right (or rather the wrong) conditions,” Woodward said. “Watch for security patches and make sure they are applied, and don't let your VOIP phone be the weak link in your security chain.”
A report published last year by Nettitude showed that VoIP attacks are on the rise and a majority of them have taken place outside office hours when it’s less likely for someone to detect the malicious activity.