Researchers find serious security flaws in some VoIP telephones
Security researchers at the Fraunhofer Institute for Secure Information Technology in Germany have found a total of 40 vulnerabilities in Voice Over IP (VoIP) telephones. Some were very serious.
Attackers can misuse these gaps to intercept calls, deactivate the telephone, or gain further access to the company network via weak points in the device. The good news right up front is that the makers of the VoIP telephones studied have been alerted and have, by now, closed these vulnerabilities. But users are strongly encouraged to install the appropriate available updates to device firmware.
As more and more devices are connected to the Internet of Things, studies such as this provide valuable security reminders to manufacturers and users alike.
Phone systems from makers Alcatel-Lucent, AudioCodes, and Unify were among those studied and tested.
The security experts at Fraunhofer SIT tested a total of 33 VoIP telephone devices from 25 different manufacturers for flaws and vulnerabilities. They examined the devices' web-based user interfaces, which administrators can use to configure the phones. Even the security experts were surprised by the results.
"We didn't expect to find so many critical gaps, because these devices have been on the market for a long time and they should have been tested and secure," said Stephan Huber, one of the researchers involved in the study.
One type of vulnerability was so severe that the security researchers were able to gain complete administrative control over the VoIP phone system.
"This is a total security failure," said scientist Philipp Roskosch, who was involved in the investigation as well.
Attackers could also use this means of entry to manipulate other devices in the same network, such as other VoIP telephones, computers, or production machines. This attack was possible with seven devices.
Another attack scenario was a denial-of-service attack that took VoIP phones out of action. This can prove particularly damaging to businesses that have customer hotlines, including banks and insurance companies -- or even first-responder, 911-type services.
The security researchers informed all the manufacturers of the VoIP telephones investigated about the vulnerabilities found; they all reacted and closed the gaps. The Fraunhofer SIT experts therefore advise all users to keep their own devices up to date and to pay attention to updates for their device firmware.
Further technical details on the vulnerabilities can be found at www.sit.fraunhofer.de/cve. The researchers presented the results of their investigations at DEFCON, one of the world's largest hacker conferences, in August.
Source: Fraunhofer SIT
Published September 2019
Rate this article