This somewhat frightful claim has been reverberating around the inter-web the past few days. I do agree that YOUR IP phone(s) might be a candidate target for such an exploit. I’m not worried simply because my IP phones don’t suffer the particular vulnerability in question. More on that in a bit.
This claim stems from Paul Moore, a security consultant, hacking a snom 320 IP phone. He found that with the default admin credentials in place he could penetrate the phone, achieving broad control of the device. Then he used that control to do various nefarious things.
For example, he could place calls. Further, he could setup routing to send all calls via a premium service that paid him for every minute of connect time. Thereafter he’d just leave the phone on a long running call without the user ever becoming aware that it was busy. Cha-ching!
Family is curious thing. The people closest to us we often regard with a complex mixture of both affection and disdain. Such is the human condition. Emotion, passion especially, arises in so many forms, like matter and anti-matter, energetic yet opposite.
Your family might include doctors, lawyers, poets and astro-physicists…even Nobel laureates. But they’re still your family. You know them really well, and for all their legitimately wondrous attributes there are times that they’re still just a pain in the….well, you know.
When you make use of a particular companies products for long enough they become a bit like family. You appreciate their better qualities, but you also get to know their idiosyncrasies. You know what you’d change if you had some influence.
Last week’s VUC call with FWDs Dan Behringer brings to mind a common complaint about SIP desk phones, namely the lack of an alphanumeric keyboard. Lacking a proper keyboard it’s difficult to really push the idea of SIP URIs as a primary means of making calls.
There are a variety of approaches to overcoming this, including the use of ISNs as prescribed by the Freenum project. That project proposes a means of dialing SIP URIs indirectly, assigning them ISN numbers. Since ISNs use only numbers and the * key they can be dialed on a traditional phone keypad. It’s essentially a way of avoiding SIP URIs through indirection.
Over a period of years I’ve used quite a number of these portable USB attached speakerphone devices. A while ago I summarized my experienced with them, but as a couple of new models have recently emerged so I find that they have my attention yet again. These new devices, if I should be lucky enough to try them, will be the focus on some future posts. For the moment I have another observation to share based upon a recent experience.
All of these portable speakerphones I find well suited to individual use. That is, they work well enough for an individual who sitting at their PC and doesn’t like to wear a headset. They’re also sufficiently portable to please a road warrior. One of the nice things about this kind of device is that they often support HDVoice when paired with a suitable soft phone.
I’ve been traveling a lot lately so the phones around my home office have been idle. Even so, I was a little surprised to find that my snom m3 was not making or receiving calls this morning. Well, it was and it wasn’t. I could dial out and the call appeared to be placed, but I never heard any audio. Once clear of today’s VUC call with Dan Behringer, and lunch with my wife, I was able to investigate this further and get the matter resolved.
A common wisdom here is that one should use a proper hardware phone rather that an extra software on the user’s PC. Why is that such a big issue?
One thing that bothers me with the current crop of hardware SIP phones is that they are hopelessly proprietary.
So what would it take to build a fully-adaptable phone?
I am 100% behind the assertion that most users want a hard phone on their desk. Soft phones, even good ones, seem to be exclusively the domain of those who travel and vertical niches like call centers.