Alarming as this may sound, enterprise-grade VoIP telephones are under constant cyber attack. Security researchers have raised concerns about Internet telephony handsets maintained by poor configuration practices and weak in-built security. If these reports are to be believed, hackers are making “millions” by hijacking enterprise-grade VoIP telephones to call premium rate numbers.
Security researchers also demonstrated the severity of the problem and the results were reported in Techweekeurope.co.uk:
“To underscore the severity of the problem, security researchers Paul Moore, Per Thorsheim and Scott Helme published a demonstration in which malware encountered on a web page immediately takes over a Voice-over-Internet Protocol (VoIP) handset and causes it to dial a premium-rate number – all the while listening in to conversations being held near the device’s microphone.”
Moore also stated on his personal webpage:
“The attacker has not only compromised your phone and privacy with just a browser, but you’ve paid him for the privilege.”
Some enterprises have reportedly used the default passwords on their VoIP telephones that have led hackers to them. Moore termed this type of attacks as a drive-by attack. In drive-by attacks, a malicious code is found within a website or an advertisement. This code attacks the system once the user views the page. At this point if the attack is made on a VoIP handset, which is using its default password, it will present zero-resistance during the attack.
As administrators, we need to understand the importance of securing our VoIP handsets.
The fact that these handsets are made by reputed firms and are protected by your company’s firewall isn’t enough to protect it from hacking. We think this is certainly an eye opener. Administrators should understand the importance of securing the VoIP telephony devices with strong passwords. Some manufacturers ship their VoIP devices without even a default security mechanism in place and others permit weak credentials. At this point, we must understand the need to immediately prevent unwanted exposure to cybercriminals, even if it means we need to look at bypassing the recommended default settings set by the handset manufacturer. It is always a good measure to contact a professional in this case.
In spite of taking all the necessary precautions to protect VoIP handsets from cyber attacks, they may still present a weak link to your organization. This is however, the case with any Internet-connected device.
Expert advice states the importance of using strong passwords, segregating VoIP telephony devices used by Internet-connected computers and installing regular updates to phone firmware. Remember not to leave your Internet-connected devices further exposed to cyber threats than it may already be.