Comments on: Total surveillance made easy with VoIP phones

By: reid

reid — Sat, 31 Oct 2009 03:20:07 +0000

okay so this is probably a bit old, but I found it amusing anyway. We use snom phones internally and also for a hosted voip solution. I was looking for a phone on our LAN and (stupid) decided to do a quick port scan for it.

nmap 5.0 running service scan (-sV) option against a snom phone may cause the phone to reboot. I can do this on snom v7.1.33 and 7.1.39. Foudn it out this afternoon so i’m still raising a ticket with Snom.

i’ve run earlier versions of nmap previously and it doesn’t cause this kind of error. highly amusing to know i can jump on someone’s LAN and cause all their phones to reboot.

By: Heuristic Delta :: Top 70 Hacking Methods :: http://blogs.heuristicdelta.com

Heuristic Delta :: Top 70 Hacking Methods :: http://blogs.heuristicdelta.com — Wed, 25 Feb 2009 07:57:37 +0000

[...] Total surveillance made easy with VoIP phone [...]

By: etd

etd — Sun, 11 Jan 2009 00:19:13 +0000

Don’t know if you’re aware, but this article made it’s way into the “News Briefs” section of IEEE’s Security & Privacy (March/April 2008) :)

good job

By: Security Issue on Snom Phones | VoIP MoVoIP Blog

Security Issue on Snom Phones | VoIP MoVoIP Blog — Wed, 07 May 2008 15:09:19 +0000

[...] Read their post here [...]

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 04 May 2008 01:33:42 +0000

@Jonas: forgot to add that this is NOT my research, but Mario’s (as shown in the post). Therefore, I suggest you to contact him directly if you have any more specific questions.

Also, thanks a lot for your feedback. It’s always a very good habit to question everything you read.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 04 May 2008 01:31:49 +0000

Hi Jonas,

It appears that if you set a password you can resolve the unauthorized POST “initiate call” request issue: http://blog.tmcnet.com/blog/to.....solved.asp

Careful: no password is set by default!

By: Jonas

Jonas — Tue, 29 Apr 2008 08:28:07 +0000

Adrian: I’m not sure what you mean by starting a conversation, but I mean the POST request that initiates a call, normally called through the web interface.

I wouldn’t have asked if your proof of concept worked. I have tried it on several models on Snom phones, including the 320.

Snom did not confirm the vulnerabilities by the way. Did you read their security announcement? I read CVE-2008-1248, which gave me the impression that a manufacturer was trying to downplay a security issue which is why I came here to find the truth.

But now I suspect that there was no issue to begin with..?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 23 Apr 2008 10:44:40 +0000

@Jonas: it’s not just any POST request, it has to be the request that starts a conversation. Just use the PoC (proof of concept): http://www.gnucitizen.org/blog.....s/snom.htm

Sorry, but we can’t make it easier than that. Keep in mind that .mario tested the attacks on Snom 32x and by the way, all the vulnerabilities were confirmed by Snom, so you can bet this IS a real issue.

Also remember that stealing calls and eavesdropping the room where the phone is located are not the only vulnerabilities found by .mario.

As I said, connecting these phones directly to the internet is asking to get pwned!

By: Jonas

Jonas — Tue, 22 Apr 2008 20:45:36 +0000

Adrian: Thank you for your reply. It does not help me however. If I just POST the data to the phone it replies with “unauthorized”, obviously, as I did not send the required HTTP authentication.

Apparently there is something else to this. Can somebody PLEASE speak up on this! I just need to know this is actually an issue. I can’t start limiting access to phones based on nothing.

Can you just show a dump on a working request, or anything at all that can convince me this works?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 09 Apr 2008 09:57:04 +0000

@Jonas: put it this way, if the attacker can talk to the Snom’s IP phone web server (as in the case of Internet-visible phones), then he can make the phone start any VoIP calls WITHOUT a password. This is because the CGI script that handles such POST requests is publicly available (can be talked to, without a password).

Quoted from .mario’s post, some possible attacks include:

“monitoring the victim by making a phone call to the attackerâ€™s number, who in tern will accept the call and recording the incoming sound. Note that the phone doesnâ€™t give any noticeable feedback (ring tones, etc) while the victim was kept under surveillance. Keep in mind that the victim pays for the call.”

If I were you I would restrict access to such phones from the LAN only *immediately*.

By: Jonas

Jonas — Wed, 09 Apr 2008 09:29:33 +0000

Ok, I’ve got a bunch of these on public IPs. Am I in trouble?

This article clearly states that if the IP is known an attacker can hijack the phone. Snom says otherwise; only if you have failed to set a password on it (obviously). I came here from the Snom security announcement which downplays this attack. This worries me gravely.

On the other hand this article is light on details. The only code is how to make calls once you’re in, which would be unrelated to the actual attack.

Now that the manufacturer has responded, can you please publish more information so we can properly determine if we are at risk?

By: Voice of VOIPSA » Blog Archive » Snom Security - A Positive Vendor Response Case Study

Tue, 01 Apr 2008 17:55:20 +0000

[...] vulnerabilities posted were also picked up by Tom Keating’s blog. Gnucitizen posted a webpage detailing the vulnerabilities as well, and the vendor response has been very good, with the [...]

By: Sipera VIPER Lab » Blog Archive » Don’t ignore the classic attacks when securing VoIP

Fri, 14 Mar 2008 16:06:33 +0000

[...] on a VoIP phone by exploiting some of the most common web application vulnerabilities such as cross-site scripting and SQL injection. As a result, an attacker can steal phone records and other confidential data or [...]

By: Sipera VIPER Lab » Blog Archive » VoIP security- where do we go from here?

Wed, 12 Mar 2008 15:08:59 +0000

[...] are several references to the real-world VoIP attacks and exploits in my previous blog post such as unauthorized surveillance, VLAN hopping, and the milw0rm exploits database. These published and possibly many more [...]

By: .mario

.mario — Wed, 05 Mar 2008 21:39:50 +0000

I just returned from CeBIT in Hannover, Germany where I was invited to a event organized by snom due to this exact article and it was pretty interesting.

Peter Cox was there and other very interesting people to talk to. I had pretty good discussions with the developers of the snom web interface and I got a preview on the new phone firmware. It definite has been improved a lot and I got a phone for my private lab to test for more issues.

So my impression of this day is a good thumbs up to snom – let’s see what can be found in the most recent firmware ;)

By: J4zen

J4zen — Wed, 05 Mar 2008 14:23:19 +0000

Nice writeup, i’ve actually stumbled upon this myself during the last year or so while working with SNOM320′s. They indeed do have a large number of vulnerabilities BUT, the firmware is open source(not many people know this). Thus you could go fix it yourself if you do stumble upon a bug that needs immediate attention.

Also it might be worth mentioning, a lot of VOIP-platforms are ran on a popular piece of software called Asterisk(or distros using Asterisk such as FreePBX/CentPBX/Elastix/Trixbox/etc).

You’d be amazed exactly how many vulnerabilities are in their software that can easely result in bankruptcy.

By: Sipera VIPER Lab » Blog Archive » VoIP Exploits in-the-wild

Sipera VIPER Lab » Blog Archive » VoIP Exploits in-the-wild — Mon, 03 Mar 2008 17:25:40 +0000

[...] make news. Some of them are â€œrealâ€ attacks on â€œrealâ€ networks with â€œrealâ€ damage (e.g., this, this, this, and this) which further proves that VoIP exploits are happening. If the media is [...]

By: reid

reid — Thu, 21 Feb 2008 23:11:11 +0000

Sorry, a bit of a distraction but I was doing a bit more googling, it’s disturbing what you can come up with by a simple inurl: search on google (the /img/logo2.gif doesn’t pop up anything so I was trying a couple others)

Are you guys doing anything as far as seeing what data can be mined from the SIP traces (also available w/out admin rights on the phone)? The reason I ask is that I haven’t done much personally on going through the SIP traces trying to figure out if it’s possible to grab version and vulnerability info on the SIP server, proxy, SBC, whatever the phone is registering to.

so consider, by getting to the phonoe itself I can draw out application version info and hardware specific info (MAC, etc.) on the specific phone as well call history, possibly SIP credentials. Flip that around, what if I can draw out information about the proxy or registrar common to ALL phones within a business and find an attack vector? Goes a little beyond a simple XSS attack I think but something maybe worth looking into. Would also potentially be much a much wider attack surface for MITM and spearphishing attacks. Alright, I’m going to stop the use of jargon and acronyms now because it’s begining to annoy even me.

By: Snom XML Contest -- Daily Asterisk

Snom XML Contest -- Daily Asterisk — Mon, 18 Feb 2008 08:08:09 +0000

[...] degli ottimi telefoni, certo, di recente sono state scoperte alcune nuove falle di sicurezza da GNUCitizen riguardanti l’interfaccia di amministrazione, tuttavia c’e’ da dire che alcuni [...]

By: Think! - Blog Rahlfs + Ross Multimedia - Themen Web, Open Source Software, CRM, TYPO3 » VoIP zum MithÃ¶ren…

Fri, 15 Feb 2008 15:53:22 +0000

[...] VoIP selbst bietet einem potentiellen Lauscher eine Reihe von Angriffsvektoren. Hacker .mario von GNUCitizen. berichtet beispielsweise jüngst von einer Sicherheitslücke im Webinterface des [...]