Flaws Plague VOIP Phones

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,373289,00.asp

By Dennis Fisher 
July 12, 2002 

Security researchers at @stake Inc. have found more than a dozen
vulnerabilities in one of the most popular lines of voice-over-IP
phones, some of which have consequences that reach well beyond just
the telephony infrastructure.

The researchers were able to gain remote administrative access to
Pingtel Corp.'s Xpressa SIP PX-1 phones, hijack calls to and from the
handsets, and perform several other attacks as a result of the flaws,
according to an advisory the firm released Friday.

The problems affect phones running versions 1.2.5 through 1.2.7.4 of
Pingtel's VxWorks software.

Pingtel, of Woburn, Mass., sells its Java-enabled handsets to both
service providers and enterprise customers.

The most serious of the vulnerabilities is the result of a combination
of two issues. The Xpressa phones ship without a password for the
administrator account, which carries an unchangeable username of
"admin." If the password is not set, an attacker with physical access
to the phone easily can set the password, giving himself
administrative access to the phone.

A remote attacker can perform this same task using the phone's Web
user management interface.

With that accomplished, the attacker can then remotely log in using
the phone's Telnet server. The Xpressa phone can then be used as "a
fully POSIX compliant network device with storage space, bandwidth and
a CPU," @stake's advisory says. POSIX is the generic name for a group
of IEEE standards known as Portable Operating System Interface for
Unix.

Having administrative access also gives an attacker the opportunity to
execute several other attacks. For example, an authenticated user can
alter the call forwarding settings on the phones to send all incoming
calls to another Session Initiation Protocol (SIP) URL or landline
phone number. Compounding this vulnerability is the fact that the
phones would not notify users of the diverted incoming calls.

@stake concentrated on the Pingtel phones because they're the market
leaders, but many of the same problems could likely be found in other
VoIP phones.

"I don't think a lot of people building these devices are looking at
the security implications of what they're doing," said Chris Wysopal,
director of research and development at @stake, based in Cambridge,
Mass. "These are not difficult attacks. It's just knowing where to
look. You don't have to write any special tools."

And because SIP is built on the IP protocol, the SIP-based VoIP phones
could also be susceptible to well-known IP attacks such as IP spoofing
or replay attacks.

An attacker with administrative access could also cause a
denial-of-service condition to an Xpressa phone by either changing the
SIP listening ports; requiring authentication of incoming calls, in
which case neither the caller nor the recipient is notified if the
authentication fails; or assigning a port of 0 to the Web server.

Also, because the Web user interface is only protected by
base64-encoded username and password pairs, anyone sniffing traffic
between the Web interface and a phone would be able to see the login
information in what is essentially clear text, @stake said.

In addition, there are several other operational issues that @stake
identified, including the fact that the phones' firmware can be
upgraded without administrative access.

Pingtel has posted to its Web site a document called "Best Practices
for Deploying Pingtel Phones," and has also written a detailed
response to all of the issues the researchers raised. The company also
recommends that customers upgrade to the 2.0.1 release of VxWorks,
which addresses some of the vulnerabilities.

Pingtel plans two more software updates this year that will fix the
remaining issues.

The full @stake advisory is available at
www.atstake.com/research/advisories/2002/.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.