If you use a VoIP phone, be warned that it could have a glaring vulnerability which could potentially allow hackers to spy on you and easily carry out other nefarious tricks – at least if you’ve never touched the thing since it was set up, and the device still uses a default password.
This news comes from a security consultant by the name of Paul Moore, who wrote about the issue at length in a post (spotted by IT Pro) entitled ‘PwnPhone: Default passwords allow covert surveillance’.
Moore observed that personnel installing VoIP hardware usually use the default password when first setting up the device as it will do “for now”, but generally speaking, they then move onto the next installation never to return.
And the default configuration really isn’t secure, as Moore goes on to demonstrate with an example attack on a Snom 320 VoIP phone.
In this case, regardless of whether that phone is sat behind a beefy firewall, all it takes to exploit the VoIP phone is the user visiting a website which contains the attacker’s exploit embedded in it.
The attacker is then silently dialled and connected to the phone, and can listen in to conversations, and not only that but can also make calls (for example to premium rate lines) and get up to other no-good tricks like transferring calls or even uploading new firmware.
Moore states: “If you install, use or just find yourself sat next to one of these devices, just remember… it’s basically a PC, with all the security vulnerabilities associated with them. Don’t assume it’s safe because it’s running as the manufacturer intended; seek professional advice.”
Of course, the first thing you can do is ensure you’re not running with the defaults, and that you have a strong password in place. For further advice, check out Moore’s full post on the matter.