VoIP phones can be hacked on account of weak passwords, according to security researchers, IT PRO reported. Hackers can make and take calls, transfer them without the user’s knowledge and listen in on private conversations.
Security researchers warned that the Internet telephony handsets used in many enterprises are vulnerable to attack by hackers, who are making millions using hijacked phones to dial premium-rate numbers, according to techweekeurope.co.uk.
Installers Fail To Change Passwords
Paul Moore, a security expert, uncovered this liability after consulting on the installation of some VoIP phones. He noticed IT professionals and installers failed to change default passwords, intending to do this at a later time. As soon as the phone became active, the installer thinks about their next install job and gives no thought to hardening the security of the device just installed.
The lack of device level authentication poses a major problem, Moore said. Hardware from well-established names such as Snom, Ubiquiti UniFi and Cisco, usually assumed to be secure when put behind a firewall, were in fact not secure.
Experts Demo Vulnerabilities
Moore, working with Scott Helme and Per Thorsheim, both fellow security professionals, demonstrated how easy it is to hack VoIP phones.
Moore reset a Snom 320 VoIP phone to its default settings. All the hacker needed to do was visit a site infected with a malicious payload to gain full control of the device. The hacker can then block incoming calls, call premium-rate numbers and quietly listen to the user’s conversations.
Snom told The Register that the tests the researchers used was a beta version of its software which the company has since updated. Moore, however, said the outdated firmware was marked as the latest version. He said he planned to redo the tests with the latest software.
Alan Woodward, a security expert at the University of Surrey, told techweekeurope.co.uk that Internet-connected VoIP handsets using default settings are easy to find by entering the right search terms in Google. They can also use search services like Shodan that target Internet-connected devices.
Even if they take basic security precautions, VoIP phones are still vulnerable since they are easier to hack and harder to update than full-blown computer systems, Woodward said.
Because the device runs Unix, it is possible to hack it like any other computer, Woodward noted in an advisory. The VoIP manufacturer oftentimes builds to a price point and security is not top of mind. The added difficulty of updating embedded software when a problem occurs compounds the problem.
Also read: Study: Reused HTTPS certificates & SSH keys put millions of devices at risk
U.K. Prone To Hacker Scams
Woodward said attackers use premium-rate scams to make millions. He cited a report by Nettitude that indicated the U.K. was especially affected by such scams. Moore has advised the phone makers to take better care in securing their products before releasing them.
If vendors have to supply devices with default credentials, they should disable all other functionality until a sufficiently secure password replaces it, Moore said. He also encouraged IT staffers to be more aware of the dangers of any Internet-connected device. IT people should remember the device is basically a PC that has all the vulnerabilities associated with a PC.
Users should not assume a device is safe simply because it is operating as the manufacturer intended, Moore said. Instead, they should seek professional advice.
Featured image from Shutterstock.