Monday, February 15, 2016

Your VoIP phone may be spying on you...

A simple exploit has been discovered that allows an attacker to leverage the weak default passwords of a Voice over IP (VoIP) phone in order to eavesdrop on conversations.

Security consultant Paul Moore writes on his website that he first came up with the idea when he was asked to observe a company's installation of several wireless access points and VoIP phones as well as provide recommendations on how to harden the access points' security.

Despite the fact that the organization was fitting enterprise-grade Cisco, Snom and Ubiquiti UniFi equipment, the personnel with whom Moore was working agreed that there was no immediate need to change the VoIP phones' default credentials.

"We'll just use defaults, for now," Moore quotes them to have said. "That password will do, for now."

It was then that the security consultant decided to see just how insecure a VoIP phone's default settings are.

Little did he know what surprise lay in store.

No comments: