back to article IP freely? Your VoIP phone can become a covert spy tool...

VoIP phones running default or weak passwords can be used for secret surveillance, independent security consultant Paul Moore warns. Moore said he'd discovered that default passwords on enterprise grade Snom VoIP phones create a means for attackers to either make calls and even spy on incoming or outgoing conversations. Moore …

  1. Anonymous Coward
    Anonymous Coward

    Shocking revelation!

    Default or weak passwords are bad.

    1. Paul Moore

      Re: Shocking revelation!

      True, but that somewhat misses the point.

      As you rightly said, default & weak passwords are bad... yet virtually every manufacturer is perfectly happy to ship devices which operate under such circumstances.

      Clearly, telling people to use long, strong & unique passwords (alone) isn't enough. It's not beyond the realms of possibility to limit functionality *until* solid security practices have been followed; it's not much to ask.

      1. Anonymous Coward
        Anonymous Coward

        @Paul

        "Clearly, telling people to use long, strong & unique passwords (alone) isn't enough. It's not beyond the realms of possibility to limit functionality *until* solid security practices have been followed; it's not much to ask."

        It is. Whatever happened to someones own responsibility? I can counter this argument easily: Its also not beyond the realms of fairness to hold people accountable for their own actions. If they didn't do a proper job on setting up their environments and people abuse that because of negligence then the responsible people should be held accountable.

        Sure; add a more secure system. Then what happens next if people simply opt to disable or change it and then add the easy passwords themselves? Then we're a few years ahead, a few years with plenty of abuse, and then we may finally come to a conclusion that those people who are negligent should have been held accountable.

        This isn't simply spouting off, its based on facts. Small sidestep: take a look at SELinux, pretty much a standard in security on several Linux distributions. And which question has made it into their official FAQ? "How do I disable SELinux?".

        1. Paul Moore

          Re: @Paul

          I absolutely agree with you... people should be held accountable for their actions, but with one caveat.

          The definition of what constitutes a long, strong & unique password varies immensely. In an ideal world, we'd all be using password manager-derived PWs, cryptographically secure keys and patch frequently but one could argue that your point of view, though perfectly valid, bares little resemblance to how the industry actually works. As much as we'd love them to do so, people don't always follow best practices. There has to be some level of responsibility on behalf of the vendors to protect yourself, from yourself. If you make a change (intentionally or otherwise) which potentially impacts upon the security of that deployment, make it known. If they skip it, sure... they should be held accountable.

          What isn't up for debate however, is the security of:

          Username: 1

          Password: 1

          ... but the Snom is perfectly happy to accept those as credentials necessary to protect the device.

          Security should be enforced by those who understand it, not delegated to those that don't.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Paul

            > What isn't up for debate however, is the security of: Username: 1 Password: 1

            This example without context does not mean much. One one hand security consists of many complementary and redundant lines of defence, and on the other hand, security is only one of the aspects of a product, and the designer has to balance that aspect with all the others--being too opinionated in this respect is not usually conducive to long-lived, profitable products.

            From the user's point of view, security is also only one of the many considerations to take into account, and even then there are many different ways of approaching the problem, which is another reason why generic products shouldn't be too opinionated (and this does not apply just to security).

    2. Christian Berger

      One should note...

      That snom telephones show a big fat warning on their display when you have no password set. You have to acknownledge it to get it away and it'll return every time you reboot your telephone.

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    which was available even through corporate firewalls.

    which was available even through poorly configured corporate firewalls.

    TFTFY

  4. Tom Sparrow

    Doesn't give any details

    I tried to understand what the problem was, and there's no detail at all on the article. The video shows nothing really.

    I assume it's a matter of *if* your phone has a weak or no password and *if* you go to the right webpage and *if* they know the IP address of your phone and *if* they know the make of phone you use then (and only then) the 'attacker' can could the web interface URL and give commands to the phone.

    *If* I'm right, then it doesn't sound like a major issue to me, or a major surprise. It certainly smells of security consultant scaremongering.

    1. Paul Moore

      Re: Doesn't give any details

      "it's a matter of *if* your phone has a weak or no password"

      It's sadly not a matter of *if*. Most people use comparably weak passwords for their bank, do you think they've given a moments thought to choosing a secure password here, if they've used a password at all?

      "*if* you go to the right webpage"

      You're right, but that's easy to achieve. It's also true of XSS & SQLi and I presume you wouldn't argue the severity of those, surely?

      "*if* they know the IP address of your phone"

      Not necessary.

      "*if* they know the make of phone you use then"

      Unless it's a targeted attack (even then, it's trivially easy to find which devices they use), the script couldn't care less which phones you use; it'll scan the network and if it finds a vulnerable device, it'll run.

      The video is a demonstration that it's possible, simply by visiting a website... it's not intended to provide a step-by-step guide.

      1. Anonymous Coward
        Anonymous Coward

        Re: Doesn't give any details

        " it'll scan the network and if it finds a vulnerable device, it'll run."

        How likely is it that, in any sensible deployment, voice and data aren't on separate VLANs for isolation and QoS purposes? Unless you can show that, then the real world impact is zero. Furthermore as data and voice are likely to be isolated, the proposed solution of strong random passwords is a sufficient, but probably not necessary condition for solving the problem.

        The real issue here is over hyping security by the technology press.

        1. Adam 52 Silver badge

          Re: Doesn't give any details

          How many home users have separate VLANs?

          Snoms are fairly popular in the SOHO market and in the small business, no IT support market.

          Does Gordon still frequent these forums? He must have shipped thousands.

    2. Christian Berger

      Re: Doesn't give any details

      Well there isn't actually a problem. Snom Phones have a feature called "Auto Answer" which will answer your call automatically on speakerphone. It'll beep and if you get regular calls you'll notice it rather quickly.

  5. Paul Hayes 1

    seems odd they've decided to pick on Snom phones with this.

    Their phones at least tell you to set a password on the web interface and on the LCD screen. No other IP phone even does that and many of them can be controlled in the same way if they're not secured.

    I don't understand how the web site you visit that includes the exploit code knows what IP address your phone is on (or is it doing a network scan?). Finding it hard to see a real attack vector there.

  6. Anonymous Coward
    Anonymous Coward

    And this is surprising?

    IP phones are just computers in a phone case. If there's a security weakness to be exploited then it eventually will be.

    Its another example of the percieved increase in useful functionality (oh really? Is that what the salesman said?) vs security. Stick to a PoTS PBX and you'll be fine.

    One placed I worked a few years ago love to brag about their shiny new IP phone system. Shame the damn thing was down a couple of hours every week due to network issues & SIP server failures etc etc. Was a joke.

    1. allthecoolshortnamesweretaken

      Re: And this is surprising?

      Not really. You could do* similar stuff on ISDN phone systems decades* ago. True, you had to ring the system yourself, but so many of them were left on default settings...

      *Still can, actually

      **Yes. Mid 1990ies = 20 years = two decades.

  7. Paul Hayes 1

    I see the story on the BBC site has been quite substantially edited now and quite a lot of the snom specific stuff removed.

    The link to the (in my opinion) much better written and factual blog post of Paul Moore seems to have been removed too strangely.

  8. Anonymous Coward
    Anonymous Coward

    update from $ClulessManufacturer

    "El Reg asked Berlin-based Snom for comment on Moore’s findings but we’re yet to hear back. We’ll update this story as and when we hear more."

    Well, I can get the update, folks, here goes:

    "Dear El Reg,

    We, at $ClulessManufacturer, take the security of our customers very seriously.

    We have evaluated $SecurittyConsultant's work very cautiously and are evaluating any potential impact on our products.

    Rest sure, dear El Reg, we will update our products according to the best industry security practises."

    (Whenever that means ....)

    There, El Reg, feel free to get that instantiated to whatever IoT vendor and Sec consultant comes up ...

  9. Anonymous Coward
    Linux

    Stating the blinding obvious ..

    "Moore discovered that default passwords on enterprise grade Snom VoIP phones create a means for attackers to either make calls and even spy on incoming or outgoing conversations."

  10. Brian Miller

    Source article is more informative

    There are actually two problems with the phones: #1, You can call from the web! #2, No password, or bad passwords.

    Take a look at problem #1! The phone's web UI allows the user to place a call. The phone will automatically go on speakerphone, thus sending all audio out to the attacker. This isn't about sniffing the network traffic, it's about taking control of the phone and making it place calls without you noticing. At a minimum, this means that premium rate numbers can be dialed, racking up your monthly bill.

    Problem #2 is same old, same old. Hopefully the phone can be set up automatically, like many VOIP phones. This needs to be done, and not ignored until later.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like