[ISN] VoIP phone phreaked by security hole

From: InfoSec News (alerts@private)
Date: Tue Feb 12 2008 - 23:15:48 PST


http://www.techworld.com/security/news/index.cfm?newsID=11401

By John E. Dunn
Techworld
12 February 2008

Researchers have discovered a serious vulnerability in the web interface 
used to control a commonly-found VoIP phone, SNOM Technology's model 320 
[1].

Attackers need the IP address of the phone being targeted to start the 
attack, but assuming they have this they can use a cross-site scripting 
approach to hack the phones built-in management interface, allowing a 
range of unwelcome activities.

These include stealing or tampering with phone logs and address book, 
calling third parties (while appearing to be located at the hacked 
handset), changing the phones text display, and even monitoring 
conversations in the room in which the phone sits without the victim 
being aware that it is happening. Any calls made from the phreaked 
handset would be at the owners expense.

The outfit that uncovered the issue GNUCitizen [2] has posted 
proof-of-concept code. German company SNOM has been informed, a GNU 
spokesperson said, but the company had not responded or given an 
indication of a likely timescale for patching.

By crafting a XSS-CSRF vector he/she can inject a persistent XSS into 
the address book. When the victim visits the phone book, the XSS worm is 
silently executed and the attacker gains a total control over the 
interface and the actions that will be performed in the future. This 
also circumvents any protection mechanisms like VPN or comparable 
network layers, the GNU Citizen blog claims.

Ive tried to patch the phone with the latest firmware but that didnt 
work - the phone was temporarily disabled after the process and when it 
began responding again the firmware version was still the same. SNOM was 
asked for comment but had not replied at the time of going to press.

GNUCitizen, which describes itself as an ethical hacker outfit, has some 
form in finding embarrassing bugs in hardware. Only last month, the 
group humbled the mighty BT by finding an authentication hole [3] in the 
VoIP element of the BT Home Hub broadband gateway.

VoIP security tends to be ignored because it has yet reach mainstream 
levels of penetration, but many experts have warned that the technology 
is in danger if turning the humble home or business telephone into a new 
class of vulnerable device.

No surprise that the sector is in the rise. This week saw the creation 
of a new UK company, UM Labs [4], which plans to start selling a range 
of security gateways to secure the VoIP traffic in and out of a network. 
The latest SNOM issue affects the device itself and would not 
necessarily be protected by such systems. As with other areas of the 
tech industry, VoIP handset makers could find themselves having to 
update and patch products as do the makers of every other type of 
network equipment.

[1] http://www.snom.com/en/snom320_voip_phone0.html
[2] http://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/
[3] http://www.techworld.com/security/news/index.cfm?newsid=11186
[4] http://www.techworld.com/security/news/index.cfm?newsid=11383


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Feb 12 2008 - 23:23:46 PST