This somewhat frightful claim has been reverberating around the inter-web the past few days. I do agree that YOUR IP phone(s) might be a candidate target for such an exploit. I’m not worried simply because my IP phones don’t suffer the particular vulnerability in question. More on that in a bit.
This claim stems from Paul Moore, a security consultant, hacking a snom 320 IP phone. He found that with the default admin credentials in place he could penetrate the phone, achieving broad control of the device. Then he used that control to do various nefarious things.
For example, he could place calls. Further, he could setup routing to send all calls via a premium service that paid him for every minute of connect time. Thereafter he’d just leave the phone on a long running call without the user ever becoming aware that it was busy. Cha-ching!
You surely have a lock on your front door. Do you have such a lock on your network? Though you may think so, but it may well be wholly unlocked. Or at least, you may not be able to know for certain that it’s locked. If you use a commercial Wi-Fi router from your ISP, or one of the big names like Linksys, Belkin, DLink et al, your network may not be as secure as you think.
At the outset let me state that, as someone who reads hereabouts, you’re no dummy. You’ve taken steps to ensure that the router doesn’t still have the default admin password. You’re using modern encryption on your Wi-Fi. You’re being responsible, but there are things beyond your grasp.
The simple fact is that the firmware the runs most retail, commercial routers is closed source. As such, you have no ready way to verify it’s behavior. Yet, the manufacturer, by virtue of necessity, uses various common software modules to create their firmware. They may even use some open source modules, but end up with an closed source binary in the end.
The upshot of this reality is that you have a very small team of developers responsible for maintaining the code. That means updates come along slowly, if at all for older devices. By extension, serious security issues get addressed slowly, if they ever get addressed at all.
VUC529 on Friday, February 20th will feature Grandstream Networks addressing issues of security and surveillance. Phil Bowers, Global Marketing Communications Manager, will be discussing their range of security cameras and new NVR-3550 network video recorder. One of the key things he will highlight is the natural synergy between SIP telephony and the video surveillance requirements common to business installations.
This appearance arises in part from my own recent effort to install a couple of surveillance cameras on our property. We now have several of their GXV3672-FHD “bullet” cameras monitoring the area around our home & office. Our goal in this effort was primarily to keep watch on our vehicles, which are typically parked on the street.
This is the start of a series of posts that I’ll be crafting documenting how we came to select the gear deployed in our installation. If all goes as planned the collection will comprise a “SOHO/SMB Guide to Video Surveillance.”
Yesterday Ars Technica ran an article once again detailing how millions of consumer and SMB routers are vulnerable to exploit. This exploit, dubbed Misfortune Cookie, leaves the network open to those who would penetrate your systems and steal your personal information. The vulnerability is many years old, and the fix almost a decade old. Even so, it seems that there are still devices being offered that include the vulnerable code.
Announcements like this make me glad that we rely on well-proven, open source software for our network edge. We’ve long used m0n0wall and pfsense around here. Software such as these running on a small, single board computer, are a compelling solution. Sure, it costs more than a bargain router from Frys. The piece of mind is worth the extra $100.
A recent little project that I’ve been working on has used some Buffalo routers, but in that case we use those models that run DD-WRT, the open source firmware for small consumer router hardware.
There are so many great, open source solutions available. I see no reason to risk the cheesy consumer routers.
While I ordered the DoorBell Fone back in August the fact of our extreme Houston summer kept me from completing the installation. The buried wire run out to our gate was broken and there was just no way I was going to bury a new wire in 100+ degree heat. This past weekend I was able to find the time and temperature to complete the installation.
The largest task was to completely replace the wiring from the central closet in our house out to the gate. I replaced the old-skool solid copper pair with a length of Cat-5 cable. Using Cat-5 is a bit of future-proofing. It means that I can change to a POE-powered network device at the gate without replacing the cable again.
For the moment I’m using only one pair from the Cat-5 wiring, connecting the DoorBell Fone remote unit to the controller in the wiring closet. The total cable length is about 80 feet.
Phil is of course one of the leading lights in the world of encryption. The call features Phil speaking plainly and openly about the need for encryption and the manner of its implementation in ZRTP.
The call remains a community call, so it goes off in various directions at times, including a little Asterisk bashing. However, Phil makes a good effort to keep the call informative, making it a great listen for anyone interested in voice security.