Security researchers at @stake Inc. have found more than a dozen vulnerabilities in one of the most popular lines of voice-over-IP phones, some of which have consequences that go beyond the telephony infrastructure.
The researchers gained remote administrative access to Pingtel Corp.s Xpressa SIP (Session Initiation Protocol) PX-1 phones, hijacked calls to and from the handsets, and performed several other attacks as a result of the flaws, according to an advisory the company released last week.
The problems affect phones running Versions 1.2.5 through 126.96.36.199 of Pingtels VxWorks software.
Pingtel, of Woburn, Mass., sells its Java-enabled handsets to service providers and enterprise customers.
The most serious of the vulnerabilities is the result of a combination of two problems, according to the security researchers. The Xpressa phones ship without a password for the administrator account, which carries an unchangeable user name of "admin." If the password is not set, an attacker with physical access to the phone can easily set the password, giving himself or herself administrative access to the phone.
A remote attacker can perform this same task using the phones Web user management interface.
With that accomplished, the attacker can remotely log in using the phones Telnet server. The Xpressa phone can then be used as "a fully POSIX-compliant network device with storage space, bandwidth and a CPU," @Stakes advisory says. Having administrative access also gives attackers the opportunity to execute several other attacks.
"I dont think a lot of people building these devices are looking at the security implications of what theyre doing," said Chris Wysopal, director of research and development at @Stake, in Cambridge, Mass. "These arent difficult attacks. Its just knowing where to look. You dont [need] special tools."
Pingtel posted to its Web site a document called "Best Practices for Deploying Pingtel Phones" and wrote a detailed response to all the issues the researchers raised. The company recommends that customers upgrade to the 2.0.1 release of VxWorks, which addresses some of the vulnerabilities. "The @Stake advisory was a ... fair assessment of our Xpressa IP phones for the most part," said Steven Guthrie, Pingtels marketing director. "It motivated us to be more explicit about administering the phones. It was valuable to have third-party review, which resulted in positive action on our part. ... Having the independent review by security experts was invaluable."