Voip > blog
Voip Blog
Your VoIP Device May Be Hacked!
Monday, April 21, 2008
If you configure your own VoIP device, you might become a victim of having your VoIP devices configuration changed without your knowledge! This could lead to all kinds of untold information leakage or worse!
The problem isn't specific to VoIP devices, it's anything that has a web interface. The problem is with something called Cross-Site Request Forgery (CSRF). What is it? Quoting from the Cross-Site Request Forgery FAQ:
Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically an attacker will embed malicious HTML or JavaScript code into an email or website to request a specific ‘task url’ which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted.
What does this mean? It means if you're like the typical home user, your VoIP device has a web interface that is either configured with no password at all or a default password that is well-known. That makes it possible that, under the right set of circumstances, your VoIP device may become reconfigured without your knowledge!
What can you do? The easiest thing you can do is to pick a good, non-default password for your web interface. This will prevent any of these attacks from working.
If you’re a Firefox user, another thing you can download is a copy of NoScript. NoScript disabled JavaScript for web sites you don’t explicitly trust. In addition, NoScript has a number of XSS-related checks in it to thwart CSRF-related attacks on well-known websites.
