Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

VoIP Phone Users Warned About Risks of Default Settings

Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.

Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.

UK-based security consultant Paul Moore was recently hired to observe the installation of VoIP phones in a company and noticed a worrying practice that is likely present in many homes and organizations — the default settings, including default passwords, are not changed after the devices are installed.

The problem, as Moore and other experts have pointed out, is that the default configuration is rarely secure. In many cases, the administration interface of VoIP phones can be accessed with a default password, which is usually very weak (e.g. “admin”), or without any sort of authentication.

Snom VoIP phones vulnerable in default configuration

Moore conducted some experiments on a VoIP phone from Germany-based manufacturer SnomTechnology. He demonstrated that an attacker who can trick a targeted user into visiting a malicious website could take over a device running the default setup.

The researcher has showed how an attacker can use the hijacked phone to silently make calls to premium numbers (i.e. the speaker is disabled and the victim only sees that a call is being made if they look at the phone’s screen). A malicious hacker could also intercept and transfer calls, play recordings, upload their own firmware, and use the device for covert surveillance.

While Moore conducted his experiments on a Snom phone, the expert noted that devices from Cisco and other vendors can also be vulnerable.

“If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no “default” security… or permit the use of weak credentials which provide nothing more than a false sense of security,” Moore said. “It has to stop.”

Professor Alan Woodward of Surrey University also published a blog post on the topic of hacking VoIP phones and pointed out that attackers can use the Shodan search engine and even Google to identify potentially vulnerable devices.

Advertisement. Scroll to continue reading.

As Woodward has highlighted, malicious actors can also exploit vulnerabilities specific to each model in order to compromise a device. For example, over the past years, Cisco has published several advisories detailing flaws in its VoIP products.

“There is an old adage that any microphone should be treated as live. Perhaps don’t become that paranoid but please remember that if your desk phone is a VOIP phone then you need to treat it like a computer or a smart phone. It can be misappropriated by a hacker under the right (or rather the wrong) conditions,” Woodward said. “Watch for security patches and make sure they are applied, and don’t let your VOIP phone be the weak link in your security chain.”

A report published last year by Nettitude showed that VoIP attacks are on the rise and a majority of them have taken place outside office hours when it’s less likely for someone to detect the malicious activity.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...