Most companies use VoIP telephones that are integrated in their company network. The Fraunhofer SIT has now tested 33 VoIP telephone devices from 25 different manufacturers for flaws and vulnerabilities by means of examining the devices’ web-based user interfaces, via which administrators can configure the phones. The result was alarming: A total of 40 in some cases serious vulnerabilities were found through which attackers could gain access to sensitive data and services.
With seven VoIP phones, one particularly severe type of vulnerability even enabled the security researchers to gain complete administrative control over the device. “This is a total security failure,” says Philipp Roskosch of the Fraunhofer SIT. Attackers could also misuse this gap to manipulate other devices in the network, such as computers or production machines. Another attack scenario was a denial of service attack that puts VoIP telephones out of action – this can be extremely damaging for business for customer hotlines.
The manufacturers of the VoIP telephones investigated were informed about the vulnerabilities found and have now closed the gaps. Users are strongly recommended to install the relevant device firmware updates. Further technical details can be found at www.sit.fraunhofer.de/cve .