Researchers Find Method To Own VoIP Phones, Silently Listen To Any Call

Trailrunner7 writes: Researchers have uncovered a simple method for compromising some common VoIP phones, enabling them to listen to victims' calls covertly or use the phones to make expensive or fraudulent calls. The attack takes advantage of the fact that the affected phones don't have any authentication set up by default, but do have a vulnerability that is open to remote exploitation. A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack. Paul Moore, a security consultant in the U.K., detailed the problem and demonstrated an attack on a Snom 320, a popular VOIP phone.

Secure providers of business VoIP phone service should be considered for businesses looking to avoid vulnerable VoIP systems.

Oh shit dude!

Well, since EVERYTHING is VoIP now... Please start by my home town. (and I say that by meaning YOUR TOWN)

Can you hear me now?

Well, can you?

Re: Can you hear me now?

How they hear you:
1 exploit voip handset
2 make handset initiate a call to them (the attacker)
3 listen to stuff via that call

Re: Can you hear me now?

[The1stImmortal]

This. It's not really a voip exploit as it's just logging into a voip phone with no authentication and initiating a call. The actual exploit is getting control of the users' pc and using it to find and get into the phone. You could use the same method to get into any other device on the network, or to get the PC itself to use its mic to record stuff. This is more an indictment on the OS being compromised than the phones

2 days late slashdot.

Oh well points for trying to be relevant. Like a soviet russia joke say.

Charlie is listening

[AHuxley]

Using VOIP hardware has risks and then conducting sensitive commercial or political discussions may not always be wise.
Use VOIP to talk about any product, service or policy thats out in public.
Keep sensitive discussions face to face. It might take a few hours or a 5 day round trip but it will be a bit more secure.

Re:Charlie is listening

[ls671]

Nothing specific to voip here. The attack exploits a network attached device (IoT?) that runs a web server accessible without any form of authentication. It is just a variant of other IoT device attacks; web camera, temperature controller etc.

Shut the damned web server off on the device or at least choose a user name and password to allow access to it...

Tne SNORM

How can that lose? Parker? Parker Lewis?

Desktop PC VoIP phone exploit ..

[tetraverse]

"A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack."

What desktop Operating System does this exploit run on?

Re:Desktop PC VoIP phone exploit ..

If I had to take a guess, I'd say Windows.

Re:Desktop PC VoIP phone exploit ..

[nine-times]

Well I think the question is, what phones are included in the list of "vulnerable phones"?

They only mention on model, the "Snom 320". So is this a problem with a particular model of phones, a particular design, or a particular protocol? Is it a widespread problem?

Re:Desktop PC VoIP phone exploit ..

[aaarrrgggh]

Doesn't really matter; if you can sniff any traffic you can usually get the SIP authentication credentials. You can use SIPS instead, but it has issues. You can also use encryption just for the session management and keep the audio unencrypted, which will prevent spoofing credentials but not eavesdropping.

Once you have the information it is just a challenge of proxying the information out.

Re:Desktop PC VoIP phone exploit ..

[amorsen]

The problem is pretty much inherent to all web-manageable VoIP phones. Which is all of them.

If they have any web-based vulnerabilities, an attacker can use any browser on the same network to exploit those vulnerabilities.

VoIP is wide open for just about anything

[turkeydance]

so....don't use VoIP for anything.

Re:VoIP is wide open for just about anything

VoIP is everywhere. Provider-grade VoIP is already "a thing," and a lot of calls are already being sent over IP over long distances.

Sorry bud, that ship has sailed.

Re:VoIP is wide open for just about anything

[aaarrrgggh]

Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)

Re:VoIP is wide open for just about anything

[kiss7]

What about SRTP and ZRTP? No segregation is needed for these to work (Will work also over the internet automatically using these encryption methods between supported endpoints). Also there are solution for companies which can handle encryption transparently such as the mizutech voip tunnel.

Re:VoIP is wide open for just about anything

I beg to differ, as I was in a project for replacing a POTS system with a VoIP system, where all traffic (access to the LAN by 802.1X, SIP and RTP) is now encrypted end-to-end. And yes, VLAN separation is also there. At least for Quality of Service reasons, you should have that in place anyway. What you need is a head guy at the customer side who really sticks to the project guidelines and knows the customer white papers by heart and has the balls to stand up for standard conformance and a vendor who closely works with the customer to iron out all the little issues and bugs that necessarily appear during such a project.

And no, it's not just about the calls to toll numbers that are at stake here. It's really about eavesdropping and trying to get rogue equipment running in your environment and reconfiguring your hardware for the lulz and for serious attacks from the inside. If the organisation grows large, you can't control every aspect of your network by hand, you have to close it up technically and organizationally and have good monitoring and auditing facilities in place.

Re:VoIP is wide open for just about anything

[sociocapitalist]

Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)

What system are you using that doesn't inherently support SIP authentication?
http://www.voip-info.org/wiki/...

The biggest risk for most implementations is toll theft so while encryption may not be necessary you should still be able to authenticate call setup and control.

Re:VoIP is wide open for just about anything

What turning on TLS authentication in the phones was too difficult for you?

Re:VoIP is wide open for just about anything

[aaarrrgggh]

The TLS implementations on our phones aren't that secure, made worse by the fact that we use TFTP server for configuration. Yes, adding in TLS isn't that hard, nor is switching to https configuration server, not really is 802.1x. There were some bugs in Asterisk that made this setup less reliable when we deployed our system, and the real issue there was working around everything to get the system working properly.

We are still small enough that these decisions were reasonable for a 5-7 year horizon, but we are starting to push that threshold as we get to the end of that range. If it wasn't a pain for troubleshooting, I would disable the web interface, and I might break down and do this soon.

Re:VoIP is wide open for just about anything

Why should they be? Phone systems were never "secure" in the first place.

Well into the 21st century you could buy a cheap pair of FRS radios, slightly modify(an overstatement really) one, connect it to the POTS termination point and bam; instant remote eves dropping.

Or a cereal box prize for another example...

Where are the actual details?

This is all hand-wavy clickbait. It sounds like a garden variety cross-site scripting/request attack, but hard to say.

Re:Where are the actual details?

[Cramer]

That's pretty much all we get from most of these "security experts". At no point do they "take over the phone" and at no point is it, in fact, covert. The phone is clearly in use the whole time. If you were making that skype call with the f'ing phone on your desk, you'd instantly know someone is dicking with it. (as you would also by simply looking at it) Yes, someone can make the phone do, well, what the phone is designed to do via the web api. As for all this OMG-firmware-upload!!!!!11!, the images are signed and THE PHONE WILL REBOOT after being sent the firmware update command.

This is just more bullshit from internet security trolls hellbent on making every g** d*** thing so freakin' complex to use that we'll have to resort to using The One Password(tm) that can meet their idiotic requirements that's so hard to remember it'll have to be tattooed to the back of your hand. Or use a password manager, because putting all your eggs in one place is SOOOOOOOOOOO secure.

(Yes, there have been real bugs in VoIP phones that do, in fact, allow covert snooping. Sneak your own app into a Cisco phone that tunnels the mic to wherever; you'd have to watch network to know it's there.)

"German engineered"

[110010001000]

Hilarious: the web page says "Thank you for choosing Snom! German engineered!"

I'm pretty sure that VW proved that "German Engineering" didn't mean much.

Re:"German engineered"

[l0n3s0m3phr34k]

There WERE other brands of voip phones, but Snom has ethnically cleansed them all.

Re:"German engineered"

[drinkypoo]

I'm pretty sure that VW proved that "German Engineering" didn't mean much.

In der auto, it means that it will be awesome for a decade or so tops and then take all your money if you don't step away. VW only failed at diesels. Amusingly, Mazda said their diesel could meet US emissions but it would feel like a VW in performance and that wasn't good enough

Re:"German engineered"

[swb]

I'd say dynamically recognizing emissions testing and changing the operating parameters to pass testing and then changing back to more power for driving IS pretty sophisticated engineering.

Re:"German engineered"

German quality really was a thing in the early 40s, not anymore.

How is this different from cell phones?

Everyone knows that no voice communications are secure except those that use security-by-obscurity (military)

Re:How is this different from cell phones?

That doesn't make it all okay.

Physical access = all bets off

[RubberDogBone]

If an intruder has physical access to your damn network, you have a LOT more to worry about than VOIP/SIP calls they might be sniffing.

Surfing the web on a VoIP phone?

First off this is just dumb. Surfing the web on a VoIP phone? This is a SNOM 320 phone (It has maybe a 2 line LCD display):

http://brain.pan.e-merchant.com/2/0/00759502/l_00759502.jpg

It's standard for VoIP phones to have no authentication right out of the box. Part of the process of registering a VoIP phone is to apply security.

Narrator: A major one.

[Moskit]

Narrator: A major one.

It's not a hack

It's a feature. For the just-us dept.

So... set a password on your phone's web interface

[The-Ixian]

This sort of seems like common sense to me... not really sure that this is newsworthy...

The thing is, a lot of RTP streams are unencrypted anyway and can easily be slurped up by any packet sniffer.... right?

So, equally newsworthy would be a headline that states that open wifi hotspot maintainers can listen in on your phone calls...