http://www.techworld.com/security/news/index.cfm?newsID=11401
By John E. Dunn
Techworld
12 February 2008
Researchers have discovered a serious vulnerability in the web interface
used to control a commonly-found VoIP phone, SNOM Technology's model 320
[1].
Attackers need the IP address of the phone being targeted to start the
attack, but assuming they have this they can use a cross-site scripting
approach to hack the phones built-in management interface, allowing a
range of unwelcome activities.
These include stealing or tampering with phone logs and address book,
calling third parties (while appearing to be located at the hacked
handset), changing the phones text display, and even monitoring
conversations in the room in which the phone sits without the victim
being aware that it is happening. Any calls made from the phreaked
handset would be at the owners expense.
The outfit that uncovered the issue GNUCitizen [2] has posted
proof-of-concept code. German company SNOM has been informed, a GNU
spokesperson said, but the company had not responded or given an
indication of a likely timescale for patching.
By crafting a XSS-CSRF vector he/she can inject a persistent XSS into
the address book. When the victim visits the phone book, the XSS worm is
silently executed and the attacker gains a total control over the
interface and the actions that will be performed in the future. This
also circumvents any protection mechanisms like VPN or comparable
network layers, the GNU Citizen blog claims.
Ive tried to patch the phone with the latest firmware but that didnt
work - the phone was temporarily disabled after the process and when it
began responding again the firmware version was still the same. SNOM was
asked for comment but had not replied at the time of going to press.
GNUCitizen, which describes itself as an ethical hacker outfit, has some
form in finding embarrassing bugs in hardware. Only last month, the
group humbled the mighty BT by finding an authentication hole [3] in the
VoIP element of the BT Home Hub broadband gateway.
VoIP security tends to be ignored because it has yet reach mainstream
levels of penetration, but many experts have warned that the technology
is in danger if turning the humble home or business telephone into a new
class of vulnerable device.
No surprise that the sector is in the rise. This week saw the creation
of a new UK company, UM Labs [4], which plans to start selling a range
of security gateways to secure the VoIP traffic in and out of a network.
The latest SNOM issue affects the device itself and would not
necessarily be protected by such systems. As with other areas of the
tech industry, VoIP handset makers could find themselves having to
update and patch products as do the makers of every other type of
network equipment.
[1] http://www.snom.com/en/snom320_voip_phone0.html
[2] http://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/
[3] http://www.techworld.com/security/news/index.cfm?newsid=11186
[4] http://www.techworld.com/security/news/index.cfm?newsid=11383
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments