Hackers could use VoIP phones to eavesdrop on you

Weak default passwords leave handsets vulnerable to attack

Hackers could listen in on you via your VoIP phone, security researchers have warned.

By using a simple exploit taking advantage of weak default passwords, attackers can hack your VoIP phone to make and receive calls, transfer calls without your knowledge and even spy on your in-person conversations.

Security expert Paul Moore discovered the flaw after consulting on the installation of several VoIP phones.

Advertisement - Article continues below

During the process, he noticed installers and IT professionals neglecting to change the default passwords, saying that they would do "for now".

"Of course, as soon as the device burst into life, it's on to the next one," he said. "At which point, 'now' becomes a distant memory, along with any thoughts of hardening the device for use in a commercial setting."

One major problem Moore highlighted was a lack of device-level authentication.

He noted that the equipment was from well-known and trusted industry names such as Cisco, Snom and Ubiquiti UniFi, but said that although these brands are often assumed to be secure when placed behind a firewall, this is not necessarily the case.

With the help of fellow security professionals Per Thorsheim and Scott Helme, he demonstrated how easy VoIP phones are to hack.

Moore reset a Snom 320 VoIP phone to its factory default settings, and the only thing the attacker needed to do in order to gain complete control of the device was to visit a site infected with a malicious payload.

Advertisement - Article continues below
Advertisement - Article continues below

Once infected, the hacker has complete control over the phone, allowing them to block incoming calls, silently call premium-rate numbers, and secretly listen in on a user's conversations.

Moore has called for manufacturers to take better care in securing their products before sending them out into the wild.

"Vendors," he said, "if you must supply devices with 'default' credentials, disable all other functionality until a suitably-secure password is set to replace it".

He also urged IT staff to be aware of the dangers posed by any internet-connected appliance.

"If you install, use or just find yourself sat next to one of these devices," he advised, "just remember... it's basically a PC, with all the security vulnerabilities associated with them."

"Don't assume it's safe because it's running as the manufacturer intended; seek professional advice."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

The road to recovery

30 Jun 2020