Skip to main content

You could be spied upon through VoIP phones

You should be careful when running voice-over-IP (VoIP) phones, as weak passwords could turn your device into a covert spying tool, security researchers say.

Security consultant Paul Moore says he discovered how default and weak passwords on enterprise-grade Snom VoIP phones could allow attackers to make their own calls using your service, or listen to your conversations.

In a report on the issue, The Register says it was confirmed that this was, in fact, a beta version of Snom VoIP firmware, even though it was marked as the latest version. Moore had done quite a thorough investigation and a proof of concept, saying he will now redo the tests with the new firmware version.

His tests have shown that the device’s setup console had no authentication protocols, meaning you could be exploited by simply visiting a site with a hostile JavaScript payload.

Together with a pair of colleagues, he made a proof of concept:

“Unbeknownst to me, Per has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I'm looking at the phone, I wouldn't know it's dialling.” Moore said.

“What can the attacker do? Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially... use the device for covert surveillance.”

“If you install, use or just find yourself sat next to one of these devices, just remember... it's basically a PC, with all the security vulnerabilities associated with them,” Moore concludes. “Don't assume it's safe because it's running as the manufacturer intended; seek professional advice.”