Researchers Find Method To Own VoIP Phones, Silently Listen To Any Call

Trailrunner7 writes: Researchers have uncovered a simple method for compromising some common VoIP phones, enabling them to listen to victims' calls covertly or use the phones to make expensive or fraudulent calls. The attack takes advantage of the fact that the affected phones don't have any authentication set up by default, but do have a vulnerability that is open to remote exploitation. A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack. Paul Moore, a security consultant in the U.K., detailed the problem and demonstrated an attack on a Snom 320, a popular VOIP phone.

Secure providers of business VoIP phone service should be considered for businesses looking to avoid vulnerable VoIP systems.

Re:

[The1stImmortal]

This. It's not really a voip exploit as it's just logging into a voip phone with no authentication and initiating a call. The actual exploit is getting control of the users' pc and using it to find and get into the phone. You could use the same method to get into any other device on the network, or to get the PC itself to use its mic to record stuff. This is more an indictment on the OS being compromised than the phones

Charlie is listening

[AHuxley]

Using VOIP hardware has risks and then conducting sensitive commercial or political discussions may not always be wise.
Use VOIP to talk about any product, service or policy thats out in public.
Keep sensitive discussions face to face. It might take a few hours or a 5 day round trip but it will be a bit more secure.

Re:

[ls671]

Nothing specific to voip here. The attack exploits a network attached device (IoT?) that runs a web server accessible without any form of authentication. It is just a variant of other IoT device attacks; web camera, temperature controller etc.

Shut the damned web server off on the device or at least choose a user name and password to allow access to it...

Desktop PC VoIP phone exploit ..

[tetraverse]

"A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack."

What desktop Operating System does this exploit run on?

Re:

[nine-times]

Well I think the question is, what phones are included in the list of "vulnerable phones"?

They only mention on model, the "Snom 320". So is this a problem with a particular model of phones, a particular design, or a particular protocol? Is it a widespread problem?

Re:

[amorsen]

The problem is pretty much inherent to all web-manageable VoIP phones. Which is all of them.

If they have any web-based vulnerabilities, an attacker can use any browser on the same network to exploit those vulnerabilities.

Re:

[aaarrrgggh]

Doesn't really matter; if you can sniff any traffic you can usually get the SIP authentication credentials. You can use SIPS instead, but it has issues. You can also use encryption just for the session management and keep the audio unencrypted, which will prevent spoofing credentials but not eavesdropping.

Once you have the information it is just a challenge of proxying the information out.

Narrator: A major one.

[Moskit]

Narrator: A major one.

VoIP is wide open for just about anything

[turkeydance]

so....don't use VoIP for anything.

Re:VoIP is wide open for just about anything

[aaarrrgggh]

Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)

Re:

[kiss7]

What about SRTP and ZRTP? No segregation is needed for these to work (Will work also over the internet automatically using these encryption methods between supported endpoints). Also there are solution for companies which can handle encryption transparently such as the mizutech voip tunnel.

Re:

[sociocapitalist]

Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)

What system are you using that doesn't inherently support SIP authentication?
http://www.voip-info.org/wiki/... [voip-info.org]

The biggest risk for most implementations is toll theft so while encryption may not be necessary you should still be able to authenticate call setup and control.

Re:

[aaarrrgggh]

The TLS implementations on our phones aren't that secure, made worse by the fact that we use TFTP server for configuration. Yes, adding in TLS isn't that hard, nor is switching to https configuration server, not really is 802.1x. There were some bugs in Asterisk that made this setup less reliable when we deployed our system, and the real issue there was working around everything to get the system working properly.

We are still small enough that these decisions were reasonable for a 5-7 year horizon, but we

Re:

[Cramer]

That's pretty much all we get from most of these "security experts". At no point do they "take over the phone" and at no point is it, in fact, covert. The phone is clearly in use the whole time. If you were making that skype call with the f'ing phone on your desk, you'd instantly know someone is dicking with it. (as you would also by simply looking at it) Yes, someone can make the phone do, well, what the phone is designed to do via the web api. As for all this OMG-firmware-upload!!!!!11!, the images are si

"German engineered"

[110010001000]

Hilarious: the web page says "Thank you for choosing Snom! German engineered!"

I'm pretty sure that VW proved that "German Engineering" didn't mean much.

Re:

[l0n3s0m3phr34k]

There WERE other brands of voip phones, but Snom has ethnically cleansed them all.

Re:

[drinkypoo]

I'm pretty sure that VW proved that "German Engineering" didn't mean much.

In der auto, it means that it will be awesome for a decade or so tops and then take all your money if you don't step away. VW only failed at diesels. Amusingly, Mazda said their diesel could meet US emissions but it would feel like a VW in performance and that wasn't good enough

Re:

[swb]

I'd say dynamically recognizing emissions testing and changing the operating parameters to pass testing and then changing back to more power for driving IS pretty sophisticated engineering.

Physical access = all bets off

[RubberDogBone]

If an intruder has physical access to your damn network, you have a LOT more to worry about than VOIP/SIP calls they might be sniffing.

So... set a password on your phone's web interface

[The-Ixian]

This sort of seems like common sense to me... not really sure that this is newsworthy...

The thing is, a lot of RTP streams are unencrypted anyway and can easily be slurped up by any packet sniffer.... right?

So, equally newsworthy would be a headline that states that open wifi hotspot maintainers can listen in on your phone calls...