Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

VoIP Phone Users Warned About Risks of Default Settings

Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.

Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.

UK-based security consultant Paul Moore was recently hired to observe the installation of VoIP phones in a company and noticed a worrying practice that is likely present in many homes and organizations — the default settings, including default passwords, are not changed after the devices are installed.

The problem, as Moore and other experts have pointed out, is that the default configuration is rarely secure. In many cases, the administration interface of VoIP phones can be accessed with a default password, which is usually very weak (e.g. “admin”), or without any sort of authentication.

Snom VoIP phones vulnerable in default configuration

Moore conducted some experiments on a VoIP phone from Germany-based manufacturer SnomTechnology. He demonstrated that an attacker who can trick a targeted user into visiting a malicious website could take over a device running the default setup.

The researcher has showed how an attacker can use the hijacked phone to silently make calls to premium numbers (i.e. the speaker is disabled and the victim only sees that a call is being made if they look at the phone’s screen). A malicious hacker could also intercept and transfer calls, play recordings, upload their own firmware, and use the device for covert surveillance.

While Moore conducted his experiments on a Snom phone, the expert noted that devices from Cisco and other vendors can also be vulnerable.

“If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no “default” security… or permit the use of weak credentials which provide nothing more than a false sense of security,” Moore said. “It has to stop.”

Professor Alan Woodward of Surrey University also published a blog post on the topic of hacking VoIP phones and pointed out that attackers can use the Shodan search engine and even Google to identify potentially vulnerable devices.

As Woodward has highlighted, malicious actors can also exploit vulnerabilities specific to each model in order to compromise a device. For example, over the past years, Cisco has published several advisories detailing flaws in its VoIP products.

“There is an old adage that any microphone should be treated as live. Perhaps don’t become that paranoid but please remember that if your desk phone is a VOIP phone then you need to treat it like a computer or a smart phone. It can be misappropriated by a hacker under the right (or rather the wrong) conditions,” Woodward said. “Watch for security patches and make sure they are applied, and don’t let your VOIP phone be the weak link in your security chain.”

A report published last year by Nettitude showed that VoIP attacks are on the rise and a majority of them have taken place outside office hours when it’s less likely for someone to detect the malicious activity.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...