Voice over internet protocol (VoIP) gear from major vendors is not secure out of the box, experts warned at RSA Conference 2007 this week.
Default settings are the enemy that needs to be dealt with before turning up a VoIP system, according to David Endler, director of security research for TippingPoint, and Mark Collier, chief technology officer (CTO) of SecureLogix who presented their research on VOIP security at the conference. Both are members of the VoIP Security Alliance, an industry group trying to promote better VoIP security.
Leaving IP phone settings at default can lead to trouble because many phones have web servers included that can let hackers see valuable information. If these servers have access to the Internet, then Google indexes them. Hackers then direct their browsers at the VoIP devices and probe for data including the address of the VoIP server it is associated with, according to Endler.
Some of these servers have packet-capture as a feature so a compromised phone could bug itself. “That would let you download conversations off the device,” says Endler.
Vendors’ default voicemail answering messages are unique, so calling the system and listening to the message can tell hackers what brand IP phone system is being used and they can tailor their reconnaissance and attacks accordingly. Phones with default passwords pose even more of a threat, he said.
The remedy is to disable the web servers on phones, change passwords and record new voicemail greetings, Endler said.
Scans of firewalls can reveal open ports and tools available on the internet can map those to likely protocols and even vendors' implementations of those protocols.
VoIP-aware firewalls can close these ports efficiently so they are only open when they need to be to set up or carry calls, Collier said.