44CON 2019

More and more everyday objects become “smart” and get connected to the internet. VoIP phones are among the oldest class of smart devices. Despite new phones being constantly released, most of these devices contain cheap hardware components and badly programmed software. Their state of security is often questionable, or worse. We show that most phones suffer from serious security flaws that allow attackers to gain full control of these devices. Such hijacked devices not only allow the attacker to eavesdrop on all communication, but can serve as an entry point for further attacks to the internal networks they are connected to.

VoIP phones can be found on each enterprise desk, in critical infrastructure buildings, at home and other places where phone communication is required. Therefore, security flaws on such a device can have far-reaching consequences, especially when transmitting sensitive or private information. We present critical vulnerabilities and various classes of security flaws that allow an attacker to fully compromise the respective device. We were able to cause a denial of service, to eavesdrop on conversations, and to gain remote code execution on the phone.

In our investigation, we focused on the web-based user interface that most phones provide for configuration and management purposes. We present different test setups for analyzing the software running on those phones, including emulation and live debugging. Furthermore, we reveal strategies and tools for finding these flaws.

To complete the presentation, we compare our manually detected vulnerabilities to results of different automated firmware security analysis systems. As we show, automated scanners are unable to find most of these vulnerabilities and leave systems widely unprotected.