Tom Keating alerted to me a new phone hack which is for now targeting SNOM IP phones.

The big hack involves the ability of some VoIP phones to make phone calls from the Web interface using a simple web POST request. The Snom 32x supports this feature which along with some security vulnerabilities is what GNUCitizen exploited to have some real fun, like ya know, making an outbound call using a spoofed CallerID.

Hackers will need the IP address of the phone being targeted to launch the attack, but using a simple scanner they can use a cross-site scripting attack to hack the phone’s built-in management interface.

Illegal stuff a hacker can do:

•  Steal the phone history from the logs including any other details attached to the calls via XHR.
•  Poison the address book with a persistent XSS - the name is encoded correctly but not the phone number.
• Inject a JavaScript worm to gain total control over the user by changing the visible output by performing XHR-CSRF attack.
• Change the settings of registered phones, including the displayed text on the phone’s display.

But the scariest problem is that a hacker can monitor the victim by making a phone call to the attacker’s number who in turn will accept the call and record the incoming sound. Worst of all, the phone doesn’t give any noticeable feedback (ring tones, etc) while the victim is under surveillance and the victim pays for the call!

Over the years, the SNOM team has been quite innovative and their technology has always been solid. I would imagine the fix for this problem should be pretty easy to write and now they need to roll it out quickly to all the phones on the market.