This somewhat frightful claim has been reverberating around the inter-web the past few days. I do agree that YOUR IP phone(s) might be a candidate target for such an exploit. I’m not worried simply because my IP phones don’t suffer the particular vulnerability in question. More on that in a bit.
This claim stems from Paul Moore, a security consultant, hacking a snom 320 IP phone. He found that with the default admin credentials in place he could penetrate the phone, achieving broad control of the device. Then he used that control to do various nefarious things.
For example, he could place calls. Further, he could setup routing to send all calls via a premium service that paid him for every minute of connect time. Thereafter he’d just leave the phone on a long running call without the user ever becoming aware that it was busy. Cha-ching!