This somewhat frightful claim has been reverberating around the inter-web the past few days. I do agree that YOUR IP phone(s) might be a candidate target for such an exploit. I’m not worried simply because my IP phones don’t suffer the particular vulnerability in question. More on that in a bit.
This claim stems from Paul Moore, a security consultant, hacking a snom 320 IP phone. He found that with the default admin credentials in place he could penetrate the phone, achieving broad control of the device. Then he used that control to do various nefarious things.
For example, he could place calls. Further, he could setup routing to send all calls via a premium service that paid him for every minute of connect time. Thereafter he’d just leave the phone on a long running call without the user ever becoming aware that it was busy. Cha-ching!
The recent blow-up in the UK over the tabloid media accessing people’s cellular voicemail is certainly interesting. Endless media outlets are reporting the crime as “hacking” cell phones or cell phone voice mail. Here are just a few examples:
I find that the use of the term “hacking” in this context rests uneasily with me. In my mind hacking implies that there’s an appreciable skill involved. The most basic of the techniques described I consider to be trivially simple. It requires no particular skill at all, just a little devilishness.
Apparently Magic Jack has taken some steps to cease delivering service to people who access the service with clients other than bone fide Magic Jack dongles. This happened some time in the past week and has been noted in the PBX-in-a-Flash forums as well as the Unofficial Magic Jack Support Forums.
Some offer the conjecture that such treatment of customer will in some way hurt the company. I doubt that is the case. The percentage of their users using Asterisk to pass calls to them is likely extremely small. It’s also quite likely very obvious to them, both in terms of average minutes per user per month and the reported SIP client name.
To me Magic Jack is completely boring on its own. $20/yr for unlimited calling in the US is ok. In fact, that’s cheap. But needing to use your PC to run their soft phone client from that USB device is lame.
Some folks at the Unofficial Magic Jack forum have going to considerable length to patch HP thin clients running Windows XPe to also run the Magic Jack software. Thus they can turn off their main PC and just leave the T5700 running. But that’s a lot of effort for very little return.