Snom VoIP phone can become a covert spy tool… Not at Improcom!
Your VoIP are safe here at Improcom, despite new security research showing vulnerabilities in default passwords.
We all know how important passwords can be. We are told to create a unique one for every website, use a combination of letters and numbers that you will surely forget, and then use a complicated password hint such your favorite movie from 2003 that you will spend a few hours sometime in the next couple of weeks trying to re-guess. Alas, it is something we have to make due with to ensure that we are not compromised by scrupulous individuals that prey on the internet. So why is new research coming out about voice-over-internet-protocol (VoIP) vulnerabilities with article titles ‘VoIP phone can become a covert spy tool.’ via the Register and even ‘Hack lets phones ‘eavesdrop and make premium calls’ via the BBC? Well because, the internet is scary and if you are using a VoIP provider that does not value security you may be at risk. Here at Improcom, default passwords do not exist. Improcom does not use default passwords on ANY devices, so you can rest assured that your phones are secure.
the Snom 320 VoIP phone (which we do not carry at Improcom) … opted to place a tiny “HTTP password not set” warning at the top of the configuration screen. That’d be fine if it forced you to set a password during the setup process, but it doesn’t. To make matters worse, it’s only too happy to accept a single character/number password too. via Paul Reviews [Source]
It appears here the vunribility lies in using an outdated firmware on a Snom phone which actually bypasses any firewalls to allow a remote hijack. Your phone does not notify you of any suspicious activity, but if you look at the video below, you will see that the phone actually dials with no one touching it. Once the phone is comprismised it is possible to eavesdrop on conversations and make premium calls on someone else’s line.
The lesson here: make sure to setup all your devices securely. Yes that means do not leave your router default login and password admin/admin – that is not secure, and it opens your business to vulnerabilities.
The problem does not affect all VoIP phones, in-fact this research is only for the Snom model phones and only when default passwords are used.