Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

VoIP Phone Users Warned About Risks of Default Settings

Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.

Voice over Internet Protocol (VoIP) phones have become increasingly popular, but many users fail to properly secure them, allowing hackers to compromise the devices and leverage them for surveillance and other malicious activities.

UK-based security consultant Paul Moore was recently hired to observe the installation of VoIP phones in a company and noticed a worrying practice that is likely present in many homes and organizations — the default settings, including default passwords, are not changed after the devices are installed.

The problem, as Moore and other experts have pointed out, is that the default configuration is rarely secure. In many cases, the administration interface of VoIP phones can be accessed with a default password, which is usually very weak (e.g. “admin”), or without any sort of authentication.

Snom VoIP phones vulnerable in default configuration

Moore conducted some experiments on a VoIP phone from Germany-based manufacturer SnomTechnology. He demonstrated that an attacker who can trick a targeted user into visiting a malicious website could take over a device running the default setup.

The researcher has showed how an attacker can use the hijacked phone to silently make calls to premium numbers (i.e. the speaker is disabled and the victim only sees that a call is being made if they look at the phone’s screen). A malicious hacker could also intercept and transfer calls, play recordings, upload their own firmware, and use the device for covert surveillance.

While Moore conducted his experiments on a Snom phone, the expert noted that devices from Cisco and other vendors can also be vulnerable.

“If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no “default” security… or permit the use of weak credentials which provide nothing more than a false sense of security,” Moore said. “It has to stop.”

Professor Alan Woodward of Surrey University also published a blog post on the topic of hacking VoIP phones and pointed out that attackers can use the Shodan search engine and even Google to identify potentially vulnerable devices.

Advertisement. Scroll to continue reading.

As Woodward has highlighted, malicious actors can also exploit vulnerabilities specific to each model in order to compromise a device. For example, over the past years, Cisco has published several advisories detailing flaws in its VoIP products.

“There is an old adage that any microphone should be treated as live. Perhaps don’t become that paranoid but please remember that if your desk phone is a VOIP phone then you need to treat it like a computer or a smart phone. It can be misappropriated by a hacker under the right (or rather the wrong) conditions,” Woodward said. “Watch for security patches and make sure they are applied, and don’t let your VOIP phone be the weak link in your security chain.”

A report published last year by Nettitude showed that VoIP attacks are on the rise and a majority of them have taken place outside office hours when it’s less likely for someone to detect the malicious activity.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.