Securitiy of VoIP Configuration (Web) Interfaces


 

ABOUT THE PROJECT

„Ring ring, who is there? I am controlling your VoIP phone!“ – Have you ever thought about the security of your phone on your desk, how hard would it be for an attacker to hijack your device?

After investigating this question can give you a worrisome answer.
Such devices are a very promising target for attackers to get a foothold in your home or enterprise network. A quick internet scan revealed hundreds of vulnerable devices which can be compromised and might be vulnerable forever due to unawareness and bad update mechanisms.

In this project, we analyzed and pentested 33 VoIP phones from 21 different manufacturers. Our analysis focused on configuration and management interfaces of those devices implemented as web applications running on the phones. The found vulnerabilities can be separated into two categories, on the one hand the vulnerabilities in the web applications itself, on the other hand vulnerabilities in the web server hosting the web applications. We found a lot of classical web based vulnerabilities like XSS or CRSF.

By digging deeper, session hijacking and missing input sanitization could be located and let us compromise half of the devices. Without proper input validation, system commands can be injected and executed in order to establish a root shell. This would allow an attacker to fully control the device remotely. She can eavesdrop the whole communication (SIP, RDP) even if it is encrypted. The phone can also be used as a pivot point for further attacks into the enterprise network. The project shoed that old vulnerabilities like memory corruption (buffer overflow), especially in the context of IoT are still alive.

All our findings were announced to the vendors and have been fixed, except on the Htek and Akuvox devices. Detailed vulnerability descriptions and Advisories can be found on the CVE website. (https://www.sit.fraunhofer.de/cve/)


PUBLICATIONS

I’m on your phone, listening – Attacking VoIP Configuration Interfaces
Stephan Huber, Philipp Roskosch
In: DEF CON 27, August 2019

Dial V for Vulnerable: Attacking VoIP Phones
Philipp Roskosch, Stephan Huber
In: 44Con, London 2019