VoIP Phone Vulnerable via Security Hole

By Dave Nixon

Researchers have revealed a serious vulnerability in the web interface used to manage a commonly-found VoIP phone, SNOM Technology’s model 320.

Attackers require the IP address of the phone being targeted to initiate the attack, once gained they can use a cross-site scripting method to hack the phone’s built-in management interface, facilitating a variety of undesirable behavior.

These consist of stealing or interfering with phone logs and address book, calling third parties (while appearing to be located at the hacked handset), altering the phone’s text display, and even scrutinizing conversations in the room in which the phone is located without the victim being conscious of its ocurrence. All calls made from the ‘phreaked’ handset would be at the owner’s expense.

The outfit that uncovered the issue, GNUCitizen, has published proof-of-concept code. German company SNOM has been told, a GNU spokesperson said, but the company had not reacted or specified a suggestion of a possible timescale for patching.

“By crafting a XSS-CSRF vector he/she can inject a persistent XSS into the address book. When the victim visits the phone book, the XSS worm is silently executed and the attacker gains a total control over the interface and the actions that will be performed in the future. This also circumvents any protection mechanisms like VPN or comparable network layers,” the GNU Citizen blog claims.

“I’ve tried to patch the phone with the latest firmware but that didn’t work - the phone was temporarily disabled after the process and when it began responding again the firmware version was still the same.”
SNOM was asked for a statement but had not replied at the time of going to press.

GNUCitizen, which portrays itself as an “ethical hacker outfit”, has some experience in exposing discomforting bugs in hardware. Just last month, the group humbled the grand BT by exposing an authentication flaw in the VoIP element of the BT Home Hub broadband gateway.

VoIP security is predisposed to be overlooked because it has not up till now achieved mainstream levels of saturation, but numerous experts have cautioned that the technology is in peril if turning the modest home or business telephone into a new class of vulnerable device.

No revelation that the sector is in the ascendency. This week saw the formation of a new UK company, UM Labs , which aims to begin selling a variety of security gateways to secure the VoIP traffic in and out of a network. The latest SNOM concern affects the device itself and would not automatically be cosseted by such systems. Similarly with other areas of the tech industry, VoIP handset makers could discover themselves needing to update and patch products as do the makers of every other type of network equipment.