- Chinese Internet censorship: An inside look
- Desktops of the future here today
- What network CEOs really make
- DoD sold counterfeit network gear
- Sci-Fi's goofiest gadgets and technology
Rss FeedRss Feed
Crackin' the Kraken bot. Listen now!
Wireless dangers at airports. Listen now!
Discover how Wait-Time Analysis, a new approach to application and database performance optimization, allows IT professionals to fine-tune applications based on service levels. With this management tool you will find all root causes of problems impacting customers and identify the resources that will resolve that problem. Learn more today.
Get the latest on storage technologies that allow IT professionals to better cope with new IT demands. Learn how storage technologies can help you successfully tackle e-Discover, regulatory compliance, green data center initiatives and the data explosion. Get all the details now.
Watch this webcast to learn in six modules how to more cost effectively consolidate your Windows servers with virtualization. This unique program allows you to pick and choose which of the six modules you would like to view or watch the entire webcast at once. Topics covered: Performance, Use Cases, Enterprise-level Support, Managing Windows Workloads, Setup and Configuration and The Future. Find out how you can simplify server consolidation within your organization today. Register below to learn more and be entered to win an Archos 605 Portable Media Player.
Most Westerners don't realize that most Chinese don't care about censorship, or even approve of it. There...- Anonymous
Researchers have discovered a serious vulnerability in the Web interface used to control a commonly-found VoIP phone, SNOM Technology's model 320.
Attackers need the IP address of the phone being targeted to start the attack, but assuming they have this they can use a cross-site scripting approach to hack the phone's built-in management interface, allowing a range of unwelcome activities.
These include stealing or tampering with phone logs and address book, calling third parties (while appearing to be located at the hacked handset), changing the phone's text display, and even monitoring conversations in the room in which the phone sits without the victim being aware that it is happening. Any calls made from the 'phreaked' handset would be at the owner's expense.
The outfit that uncovered the issue -- GNUCitizen -- has posted proof-of-concept code. German company SNOM has been informed, a GNU spokesperson said, but the company had not responded or given an indication of a likely timescale for patching.
"By crafting a XSS-CSRF vector he/she can inject a persistent XSS into the address book. When the victim visits the phone book, the XSS worm is silently executed and the attacker gains a total control over the interface and the actions that will be performed in the future. This also circumvents any protection mechanisms like VPN or comparable network layers," the GNU Citizen blog claims.
"I've tried to patch the phone with the latest firmware but that didn't work - the phone was temporarily disabled after the process and when it began responding again the firmware version was still the same."
SNOM was asked for comment but had not replied at the time of going to press.
GNUCitizen, which describes itself as an "ethical hacker outfit", has some form in finding embarrassing bugs in hardware. Only last month, the group humbled the mighty BT by finding an authentication hole in the VoIP element of the BT Home Hub broadband gateway.
VoIP security tends to be ignored because it has yet reach mainstream levels of penetration, but many experts have warned that the technology is in danger if turning the humble home or business telephone into a new class of vulnerable device (Compare VoIP Security products).
No surprise that the sector is in the rise. This week saw the creation of a new U.K. company, UM Labs , which plans to start selling a range of security gateways to secure the VoIP traffic in and out of a network. The latest SNOM issue affects the device itself and would not necessarily be protected by such systems. As with other areas of the tech industry, VoIP handset makers could find themselves having to update and patch products as do the makers of every other type of network equipment.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com The Industry Standard IDG List Services |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
