Default or weak passwords are bad.
VoIP phones running default or weak passwords can be used for secret surveillance, independent security consultant Paul Moore warns. Moore said he'd discovered that default passwords on enterprise grade Snom VoIP phones create a means for attackers to either make calls and even spy on incoming or outgoing conversations. Moore …
True, but that somewhat misses the point.
As you rightly said, default & weak passwords are bad... yet virtually every manufacturer is perfectly happy to ship devices which operate under such circumstances.
Clearly, telling people to use long, strong & unique passwords (alone) isn't enough. It's not beyond the realms of possibility to limit functionality *until* solid security practices have been followed; it's not much to ask.
"Clearly, telling people to use long, strong & unique passwords (alone) isn't enough. It's not beyond the realms of possibility to limit functionality *until* solid security practices have been followed; it's not much to ask."
It is. Whatever happened to someones own responsibility? I can counter this argument easily: Its also not beyond the realms of fairness to hold people accountable for their own actions. If they didn't do a proper job on setting up their environments and people abuse that because of negligence then the responsible people should be held accountable.
Sure; add a more secure system. Then what happens next if people simply opt to disable or change it and then add the easy passwords themselves? Then we're a few years ahead, a few years with plenty of abuse, and then we may finally come to a conclusion that those people who are negligent should have been held accountable.
This isn't simply spouting off, its based on facts. Small sidestep: take a look at SELinux, pretty much a standard in security on several Linux distributions. And which question has made it into their official FAQ? "How do I disable SELinux?".
I absolutely agree with you... people should be held accountable for their actions, but with one caveat.
The definition of what constitutes a long, strong & unique password varies immensely. In an ideal world, we'd all be using password manager-derived PWs, cryptographically secure keys and patch frequently but one could argue that your point of view, though perfectly valid, bares little resemblance to how the industry actually works. As much as we'd love them to do so, people don't always follow best practices. There has to be some level of responsibility on behalf of the vendors to protect yourself, from yourself. If you make a change (intentionally or otherwise) which potentially impacts upon the security of that deployment, make it known. If they skip it, sure... they should be held accountable.
What isn't up for debate however, is the security of:
... but the Snom is perfectly happy to accept those as credentials necessary to protect the device.
Security should be enforced by those who understand it, not delegated to those that don't.
> What isn't up for debate however, is the security of: Username: 1 Password: 1
This example without context does not mean much. One one hand security consists of many complementary and redundant lines of defence, and on the other hand, security is only one of the aspects of a product, and the designer has to balance that aspect with all the others--being too opinionated in this respect is not usually conducive to long-lived, profitable products.
From the user's point of view, security is also only one of the many considerations to take into account, and even then there are many different ways of approaching the problem, which is another reason why generic products shouldn't be too opinionated (and this does not apply just to security).
This post has been deleted by its author
I tried to understand what the problem was, and there's no detail at all on the article. The video shows nothing really.
I assume it's a matter of *if* your phone has a weak or no password and *if* you go to the right webpage and *if* they know the IP address of your phone and *if* they know the make of phone you use then (and only then) the 'attacker' can could the web interface URL and give commands to the phone.
*If* I'm right, then it doesn't sound like a major issue to me, or a major surprise. It certainly smells of security consultant scaremongering.
"it's a matter of *if* your phone has a weak or no password"
It's sadly not a matter of *if*. Most people use comparably weak passwords for their bank, do you think they've given a moments thought to choosing a secure password here, if they've used a password at all?
"*if* you go to the right webpage"
You're right, but that's easy to achieve. It's also true of XSS & SQLi and I presume you wouldn't argue the severity of those, surely?
"*if* they know the IP address of your phone"
"*if* they know the make of phone you use then"
Unless it's a targeted attack (even then, it's trivially easy to find which devices they use), the script couldn't care less which phones you use; it'll scan the network and if it finds a vulnerable device, it'll run.
The video is a demonstration that it's possible, simply by visiting a website... it's not intended to provide a step-by-step guide.
" it'll scan the network and if it finds a vulnerable device, it'll run."
How likely is it that, in any sensible deployment, voice and data aren't on separate VLANs for isolation and QoS purposes? Unless you can show that, then the real world impact is zero. Furthermore as data and voice are likely to be isolated, the proposed solution of strong random passwords is a sufficient, but probably not necessary condition for solving the problem.
The real issue here is over hyping security by the technology press.
seems odd they've decided to pick on Snom phones with this.
Their phones at least tell you to set a password on the web interface and on the LCD screen. No other IP phone even does that and many of them can be controlled in the same way if they're not secured.
I don't understand how the web site you visit that includes the exploit code knows what IP address your phone is on (or is it doing a network scan?). Finding it hard to see a real attack vector there.
IP phones are just computers in a phone case. If there's a security weakness to be exploited then it eventually will be.
Its another example of the percieved increase in useful functionality (oh really? Is that what the salesman said?) vs security. Stick to a PoTS PBX and you'll be fine.
One placed I worked a few years ago love to brag about their shiny new IP phone system. Shame the damn thing was down a couple of hours every week due to network issues & SIP server failures etc etc. Was a joke.
"El Reg asked Berlin-based Snom for comment on Moore’s findings but we’re yet to hear back. We’ll update this story as and when we hear more."
Well, I can get the update, folks, here goes:
"Dear El Reg,
We, at $ClulessManufacturer, take the security of our customers very seriously.
We have evaluated $SecurittyConsultant's work very cautiously and are evaluating any potential impact on our products.
Rest sure, dear El Reg, we will update our products according to the best industry security practises."
(Whenever that means ....)
There, El Reg, feel free to get that instantiated to whatever IoT vendor and Sec consultant comes up ...
There are actually two problems with the phones: #1, You can call from the web! #2, No password, or bad passwords.
Take a look at problem #1! The phone's web UI allows the user to place a call. The phone will automatically go on speakerphone, thus sending all audio out to the attacker. This isn't about sniffing the network traffic, it's about taking control of the phone and making it place calls without you noticing. At a minimum, this means that premium rate numbers can be dialed, racking up your monthly bill.
Problem #2 is same old, same old. Hopefully the phone can be set up automatically, like many VOIP phones. This needs to be done, and not ignored until later.
Biting the hand that feeds IT © 1998–2022