Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Method To Own VoIP Phones, Silently Listen To Any Call

Posted by yaelk on from the who-is-listening dept.

Trailrunner7 writes: Researchers have uncovered a simple method for compromising some common VoIP phones, enabling them to listen to victims' calls covertly or use the phones to make expensive or fraudulent calls. The attack takes advantage of the fact that the affected phones don't have any authentication set up by default, but do have a vulnerability that is open to remote exploitation. A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack. Paul Moore, a security consultant in the U.K., detailed the problem and demonstrated an attack on a Snom 320, a popular VOIP phone.

Secure providers of business VoIP phone service should be considered for businesses looking to avoid vulnerable VoIP systems.

19 of 36 comments (clear)

  1. Charlie is listening by AHuxley · · Score: 1

    Using VOIP hardware has risks and then conducting sensitive commercial or political discussions may not always be wise.
    Use VOIP to talk about any product, service or policy thats out in public.
    Keep sensitive discussions face to face. It might take a few hours or a 5 day round trip but it will be a bit more secure.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Charlie is listening by ls671 · · Score: 1

      Nothing specific to voip here. The attack exploits a network attached device (IoT?) that runs a web server accessible without any form of authentication. It is just a variant of other IoT device attacks; web camera, temperature controller etc.

      Shut the damned web server off on the device or at least choose a user name and password to allow access to it...

      --
      Everything I write is lies, read between the lines.
  2. Desktop PC VoIP phone exploit .. by tetraverse · · Score: 2

    "A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack."

    What desktop Operating System does this exploit run on?

    1. Re:Desktop PC VoIP phone exploit .. by nine-times · · Score: 1

      Well I think the question is, what phones are included in the list of "vulnerable phones"?

      They only mention on model, the "Snom 320". So is this a problem with a particular model of phones, a particular design, or a particular protocol? Is it a widespread problem?

    2. Re:Desktop PC VoIP phone exploit .. by aaarrrgggh · · Score: 1

      Doesn't really matter; if you can sniff any traffic you can usually get the SIP authentication credentials. You can use SIPS instead, but it has issues. You can also use encryption just for the session management and keep the audio unencrypted, which will prevent spoofing credentials but not eavesdropping.

      Once you have the information it is just a challenge of proxying the information out.

    3. Re:Desktop PC VoIP phone exploit .. by amorsen · · Score: 1

      The problem is pretty much inherent to all web-manageable VoIP phones. Which is all of them.

      If they have any web-based vulnerabilities, an attacker can use any browser on the same network to exploit those vulnerabilities.

      --
      Finally! A year of moderation! Ready for 2019?
  3. VoIP is wide open for just about anything by turkeydance · · Score: 1

    so....don't use VoIP for anything.

    1. Re:VoIP is wide open for just about anything by aaarrrgggh · · Score: 3, Interesting

      Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

      We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)

    2. Re:VoIP is wide open for just about anything by kiss7 · · Score: 1

      What about SRTP and ZRTP? No segregation is needed for these to work (Will work also over the internet automatically using these encryption methods between supported endpoints). Also there are solution for companies which can handle encryption transparently such as the mizutech voip tunnel.

    3. Re:VoIP is wide open for just about anything by sociocapitalist · · Score: 1

      Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

      We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)

      What system are you using that doesn't inherently support SIP authentication?
      http://www.voip-info.org/wiki/...

      The biggest risk for most implementations is toll theft so while encryption may not be necessary you should still be able to authenticate call setup and control.

      --
      blindly antisocialist = antisocial
    4. Re:VoIP is wide open for just about anything by aaarrrgggh · · Score: 1

      The TLS implementations on our phones aren't that secure, made worse by the fact that we use TFTP server for configuration. Yes, adding in TLS isn't that hard, nor is switching to https configuration server, not really is 802.1x. There were some bugs in Asterisk that made this setup less reliable when we deployed our system, and the real issue there was working around everything to get the system working properly.

      We are still small enough that these decisions were reasonable for a 5-7 year horizon, but we are starting to push that threshold as we get to the end of that range. If it wasn't a pain for troubleshooting, I would disable the web interface, and I might break down and do this soon.

  4. "German engineered" by 110010001000 · · Score: 1

    Hilarious: the web page says "Thank you for choosing Snom! German engineered!"

    I'm pretty sure that VW proved that "German Engineering" didn't mean much.

    1. Re:"German engineered" by drinkypoo · · Score: 1

      I'm pretty sure that VW proved that "German Engineering" didn't mean much.

      In der auto, it means that it will be awesome for a decade or so tops and then take all your money if you don't step away. VW only failed at diesels. Amusingly, Mazda said their diesel could meet US emissions but it would feel like a VW in performance and that wasn't good enough

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:"German engineered" by swb · · Score: 1

      I'd say dynamically recognizing emissions testing and changing the operating parameters to pass testing and then changing back to more power for driving IS pretty sophisticated engineering.

  5. Re: Can you hear me now? by The1stImmortal · · Score: 1

    This. It's not really a voip exploit as it's just logging into a voip phone with no authentication and initiating a call. The actual exploit is getting control of the users' pc and using it to find and get into the phone. You could use the same method to get into any other device on the network, or to get the PC itself to use its mic to record stuff. This is more an indictment on the OS being compromised than the phones

  6. Re:Where are the actual details? by Cramer · · Score: 1

    That's pretty much all we get from most of these "security experts". At no point do they "take over the phone" and at no point is it, in fact, covert. The phone is clearly in use the whole time. If you were making that skype call with the f'ing phone on your desk, you'd instantly know someone is dicking with it. (as you would also by simply looking at it) Yes, someone can make the phone do, well, what the phone is designed to do via the web api. As for all this OMG-firmware-upload!!!!!11!, the images are signed and THE PHONE WILL REBOOT after being sent the firmware update command.

    This is just more bullshit from internet security trolls hellbent on making every g** d*** thing so freakin' complex to use that we'll have to resort to using The One Password(tm) that can meet their idiotic requirements that's so hard to remember it'll have to be tattooed to the back of your hand. Or use a password manager, because putting all your eggs in one place is SOOOOOOOOOOO secure.

    (Yes, there have been real bugs in VoIP phones that do, in fact, allow covert snooping. Sneak your own app into a Cisco phone that tunnels the mic to wherever; you'd have to watch network to know it's there.)

  7. Physical access = all bets off by RubberDogBone · · Score: 1

    If an intruder has physical access to your damn network, you have a LOT more to worry about than VOIP/SIP calls they might be sniffing.

    --
    Sig for hire.
  8. Narrator: A major one. by Moskit · · Score: 1

    Narrator: A major one.

  9. So... set a password on your phone's web interface by The-Ixian · · Score: 1

    This sort of seems like common sense to me... not really sure that this is newsworthy...

    The thing is, a lot of RTP streams are unencrypted anyway and can easily be slurped up by any packet sniffer.... right?

    So, equally newsworthy would be a headline that states that open wifi hotspot maintainers can listen in on your phone calls...

    --
    My eyes reflect the stars and a smile lights up my face.