VoIP phone with default password can be used for covert surveillance

phone on conference table
Credit: Keoni Cabral

If you'd like an attacker to eavesdrop on calls made on VoIP phones, then leave the default password in place.

If you’d like an attacker to eavesdrop on your calls made on VoIP phones, then leave the default password in place. If not, then change it.

Using default or weak passwords will continue to bite companies, but this time instead of spying via IP cameras, it was enterprise-grade VoIP phones being pwned. When a client asked information security consultant Paul Moore how to improve security without disrupting ease of VoIP phone deployment, Moore discovered the company was using the default password.

Perhaps recalling how HD Moore remotely infiltrated boardrooms in top companies via videoconferencing systems setup outside firewalls, the IT staff felt confident about security since the VoIP phones were behind a “strong firewall.”

Oh really? Paul Moore set out to disprove the firm’s we’re-safe-from-eavesdropping-attack logic. He showed how an attacker can “make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially...use the device for covert surveillance.”

Using a Snom 320 VoIP phone running 8.7.5.13 firmware in his demonstration, he set it back to a “default state” and discovered that the default configuration panel for the device’s setup console had “no authentication whatsoever” even if it was behind an enterprise-grade firewall. He noted that while some manufacturers do provide default credentials, such as the ever-popular “admin/admin,” the Snom phone just had an “HTTP password not set” warning on the configuration screen. Users are not prompted to setup a password, but if they do then the password can be as short as one character.

To exploit the phone for covert surveillance, Moore enlisted the help of security experts Scott Helme and Per Thorsheim, who played the part of attacker. Multitasking, Moore had a “private conversation” with Helme over Skype while browsing Thorsheim’s site, which was embedded with just a couple lines of JavaScript as an exploit payload.

Moore wrote:

Unbeknownst to me, Per has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I'm looking at the phone, I wouldn't know it's dialing.

Besides forcing calls to premium numbers, an attacker could receive and transfer calls, as well as use the phone for secret surveillance. Moore wrote, “In this demonstration, the attacker has not only compromised your phone and privacy with just a browser, but you've paid him for the privilege!”

Thorsheim expounded on that ouch and the payload by telling the BBC, “It will charge you a pound a minute and I will listen to whatever is being said close to your phone - you will be paying me to be eavesdropped.”

The Snom phone used in the test is not the only VoIP phone vulnerable, as similar exploits work on “current Cisco devices too.”

Moore concluded:

If you install, use or just find yourself sat next to one of these devices, just remember... it's basically a PC, with all the security vulnerabilities associated with them. Don't assume it's safe because it's running as the manufacturer intended; seek professional advice.

Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies