VoIP Phones Could Expose Data to Hackers
A new report from Fraunhofer Institute reveal VoIP telephone vulnerabilities.
Note: TDWI’s editors carefully choose vendor-issued press releases about new or upgraded products and services. We have edited and/or condensed this release to highlight key features but make no claims as to the accuracy of the vendor's statements.
New tests from Fraunhofer Institute for Secure Information Technology reveal that hackers can access sensitive data and services via VoIP telephones.
Most companies use VoIP telephones that are integrated into the company network. Security researchers at the Fraunhofer SIT have found a total of 40 partly serious vulnerabilities in these devices. Attackers can misuse these gaps to intercept calls, deactivate the telephone, or gain further access to the company network via weak points in the device.
The researchers presented the results of their investigations at DEFCON, an international hacker conference.
Fraunhofer SIT tested a 33 VoIP telephone devices from 25 different manufacturers for flaws and vulnerabilities. They examined the devices' web-based user interfaces, which administrators can use to configure the phones. Even the security experts were surprised by the results. "We didn't expect to find so many critical gaps because these devices have been on the market for a long time and they should have been tested and secure," explains Stephan Huber, one of the researchers involved in the study.
One type of vulnerability was so severe that the security researchers were able to gain complete administrative control over the VoIP phone. "This is a total security failure," says scientist Philipp Roskosch, who was involved in the investigation. Attackers could also use this flaw to manipulate other devices in the same network, such as other VoIP telephones, computers, or production machines. This attack was possible with seven devices.
Another attack scenario was a denial of service attack that took VoIP phones out of action. This can damage the business of customer hotlines.
The security researchers informed all manufacturers of the VoIP telephones investigated about the vulnerabilities found; all responded and closed the gaps. Fraunhofer SIT’s experts advise all users to keep their own devices up to date and to pay attention to updates for the device firmware.
Further technical details on the VoIP telephones investigated and the gaps can be found at www.sit.fraunhofer.de/cve.