Researchers have uncovered a simple method for compromising some common VOIP phones, enabling them to listen to victims’ calls covertly or use the phones to make expensive or fraudulent calls.
The attack takes advantage of the fact that the affected phones don’t have any authentication set up by default, but do have a vulnerability that is open to remote exploitation. A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack. Paul Moore, a security consultant in the U.K., detailed the problem and demonstrated an attack on a Snom 320, a popular VOIP phone.
Users setup their phones by connecting to them through a browser and Moore and his colleagues showed that by exploiting the vulnerability in the phone, they could eavesdrop on a victim’s supposedly private conversations.
“Simply by opening a malicious site (or a genuine site containing the malicious payload), the attacker has complete control over our VoIP phone,” Moore wrote in an analysis of the attack.
In the demo, the victim browses to a malicious web site, where the exploit code launches and silently takes control of the phone. The attacker then uses the victim’s compromised phone to call his own phone and stays connected to the victim phone. The victim then makes a Skype call to a third party, and the attacker has the ability to listen to the entire call, unnoticed.
The attacker can use the phone to make, receive, and redirect calls, and also could upload new firmware to the device, Moore said. Someone with remote access to the VOIP phone also could make expensive calls to premium-rate numbers or use the line as a launching pad for fraud calls to the victim’s bank or other financial institutions.
“The term ‘covert surveillance’ is usually only associated with nation states, certain 3-letter agencies and those closed-minded individuals pushing the Investigatory Powers Bill (IPBill / Snoopers Charter),” Moore said.
“In this demonstration, the attacker has not only compromised your phone & privacy with just a browser, but you’ve paid him for the privilege!”
While Moore and his colleagues used the Snom 320 in their demo, Moore said he’s aware of similar exploits against other vendors’ VOIP phones, including Cisco.
Image from Flickr stream of Chris Potter.