Researchers Find Method To Own VoIP Phones, Silently Listen To Any Call

Trailrunner7 writes: Researchers have uncovered a simple method for compromising some common VoIP phones, enabling them to listen to victims' calls covertly or use the phones to make expensive or fraudulent calls. The attack takes advantage of the fact that the affected phones don't have any authentication set up by default, but do have a vulnerability that is open to remote exploitation. A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack. Paul Moore, a security consultant in the U.K., detailed the problem and demonstrated an attack on a Snom 320, a popular VOIP phone.

Secure providers of business VoIP phone service should be considered for businesses looking to avoid vulnerable VoIP systems.

Desktop PC VoIP phone exploit ..

[tetraverse]

"A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack."

What desktop Operating System does this exploit run on?

Re:VoIP is wide open for just about anything

[aaarrrgggh]

Pretty much. We looked at the cost and challenges for encrypting SIP communications on our local LAN, and it just wasn't worth the hassle. We will segregate the phones onto a separate VLAN, but the value is limited; SIP deployments really aren't focused on security yet.

We control the financial aspect by carrier-enforced rules which prevent toll calls. Much more effective. (We do have a way to make calling card calls through our Asterisk system that is sufficiently locked down and only has $100 or so at risk.)