Hackers ‘Making Millions’ From Breached Enterprise VoIP Telephones

Security researchers have warned that the Internet telephony handsets used in many enterprises are open to attack by web-borne hackers, who are making “millions” by using hijacked phones to dial premum-rate numbers.

To underscore the severity of the problem, security researchers Paul Moore, Per Thorsheim and Scott Helme published a demonstration in which malware encountered on a web page immediately takes over a Voice-over-Internet Protocol (VoIP) handset and causes it to dial a premium-rate number – all the while listening in to conversations being held near the device’s microphone.

Phone compromise

“The attacker has not only compromised your phone and privacy with just a browser, but you’ve paid him for the privilege,” Moore wrote in an advisory.

The hack demonstrated by Moore uses what’s known as a drive-by attack, where malicious code found on a website, for instance in an advertisement, infects a system when the user views the page. To take control of the telephone itself, however, no attack was needed – Moore found that in its default state, the Snom 320 device didn’t require any authentication.

“Simply by opening a malicious site (or a genuine site containing the malicious payload), the attacker has complete control over our VoIP phone,” Moore wrote.

The demonstration is intended in part to alert system administrators to the fact that such devices, while made by reputable companies and usually protected by a corporate firewall, are nevertheless just as vulnerable to attack as any computer, Moore said.

He found that organisations installing such devices all too often leave devices in their default state, while phone manufacturers, for their part, often don’t require passwords to be changed and may accept weak passwords containing, for instance, a single digit.

Snom said that the device used in Moore’s demonstration was an older unit, dating from 2008, and that currently Snom telephones by default run a visual warning until a password is set.

‘No default security’

“Many companies ship devices which have no ‘default’ security… or permit the use of weak credentials which provide nothing more than a false sense of security,” Moore wrote.

“If you install, use or just find yourself sat next to one of these devices, just remember… it’s basically a PC, with all the security vulnerabilities associated with them. Don’t assume it’s safe because it’s running as the manufacturer intended; seek professional advice.”

Internet-connected VoIP handsets using default settings can be found simply by entering the right search terms in Google, or by using search services such as Shodan that specifically target Internet-conneted devices, according to professor Alan Woodward, a security expert at the University of Surrey.

And even if users do take basic security precautions, VoIP phones may still represent a weak link in an organisation’s security, due to the fact that, like most Internet-connected devices, they are easier to hack and more difficult to update than full-blown computer systems, Woodward said.

Making ‘millions’

“It runs Unix, so it is possible to attack it just like any other computer,” Woodward wrote in an advisory. “Often they are building to a price point and security is not at the front of their minds. This is compounded by the added difficulty of updating embedded software when a problem is found.”

He told the BBC that attackers are using premium-rate scams such as those demonstrated by Moore to make “millions”.

Woodward cited a report by Nettitude last year that found the UK was particularly badly affected by such scams.

Moore advised using strong passwords, segregating phones from the network used by Internet-connected computers, and regular updates to phone firmware.

Security researchers recently warned that Internet-connected devices such as security cameras are often left using default login credentials, and as a result have been taken over en masse and implanted with malware.

Are you a security pro? Try our quiz!