This somewhat frightful claim has been reverberating around the inter-web the past few days. I do agree that YOUR IP phone(s) might be a candidate target for such an exploit. I’m not worried simply because my IP phones don’t suffer the particular vulnerability in question. More on that in a bit.
This claim stems from Paul Moore, a security consultant, hacking a snom 320 IP phone. He found that with the default admin credentials in place he could penetrate the phone, achieving broad control of the device. Then he used that control to do various nefarious things.
For example, he could place calls. Further, he could setup routing to send all calls via a premium service that paid him for every minute of connect time. Thereafter he’d just leave the phone on a long running call without the user ever becoming aware that it was busy. Cha-ching!
He could answer calls, even before the phone rang, then transfer the call elsewhere. He could put the phone into speakerphone mode, sending silence so as not to disturb the user, then listen to what was happening nearby. He could basically express his creativity.
Now, this isn’t nearly as bad as it seems, even for snom. The key seems to be ensuring that when the phone is deployed the administrative access is sensibly locked down. It’s the failure to restrict access to the admin functions via the network that leaves the back door swinging wide open. Duh!
Mr. Moore and associates chide companies for not forcing users to take even basic precautions to lock down the device at the point of deployment. They claim that the phone warns the user about such things, but doesn’t MAKE them change the default login, for example.
Such concerns are not new, they’ve been around as long as IP phones themselves. I recall a discussion of such things on Dan York’s old Blue Box Podcast on VoIP Security.
Myself, I am more of the “you bought it, you own it” school of thought. That is to say, if you are deploying these phones you should give this stuff some consideration. It’s on your network after all. You’re responsible. If you’re ceding responsibility to a reseller or service provider then they should take care of business. Even so, you need to ensure that they do.
In my own recent experience with newer Polycom and Grandstream devices I have found that the companies are making more of an effort to alert users to change the default credentials, both in the web interface and on the face of the device. That is to say, they nag a lot where they were previously silent on the matter. Heck, Polycom’s VVX phones now default to using encrypted web access to the web interface.
It is true that the continued growth of hosted SIP services has delivered an expanding fleet of SIP phones into the hands of the otherwise unsuspecting. Smart shoppers give some thought to device deployment, or select a service provider who handles this for them. For example, if you use OnSIP, as I do, and point your phones at their provisioning server, they will force the phones to take up complex new login credentials. That makes it super simple to lock down your phones. OnSIP are smart folks that way.
Of course, there can be complexities. Using their provisioning server implies that your phone register with them exclusively, which may not suit your situation. So, let’s just agree to never leave the default admin credentials in place on any device…ever!
Now that you’ve read this you know better, and you will ensure that your phones are trustworthy.