Flaws Plague VOIP Phones

@stake finds more than a dozen vulnerabilities in Pingtel's Xpressa SIP PX-1 phones.

Security researchers at @stake Inc. have found more than a dozen vulnerabilities in one of the most popular lines of voice-over-IP phones, some of which have consequences that reach well beyond just the telephony infrastructure.

The researchers were able to gain remote administrative access to Pingtel Corp.s Xpressa SIP PX-1 phones, hijack calls to and from the handsets, and perform several other attacks as a result of the flaws, according to an advisory the firm released Friday.

The problems affect phones running versions 1.2.5 through of Pingtels VxWorks software.

Pingtel, of Woburn, Mass., sells its Java-enabled handsets to both service providers and enterprise customers.

The most serious of the vulnerabilities is the result of a combination of two issues. The Xpressa phones ship without a password for the administrator account, which carries an unchangeable username of "admin." If the password is not set, an attacker with physical access to the phone easily can set the password, giving himself administrative access to the phone.

A remote attacker can perform this same task using the phones Web user management interface.

With that accomplished, the attacker can then remotely log in using the phones Telnet server. The Xpressa phone can then be used as "a fully POSIX compliant network device with storage space, bandwidth and a CPU," @stakes advisory says. POSIX is the generic name for a group of IEEE standards known as Portable Operating System Interface for Unix.

Having administrative access also gives an attacker the opportunity to execute several other attacks. For example, an authenticated user can alter the call forwarding settings on the phones to send all incoming calls to another Session Initiation Protocol (SIP) URL or landline phone number. Compounding this vulnerability is the fact that the phones would not notify users of the diverted incoming calls.

@stake concentrated on the Pingtel phones because theyre the market leaders, but many of the same problems could likely be found in other VoIP phones.

"I dont think a lot of people building these devices are looking at the security implications of what theyre doing," said Chris Wysopal, director of research and development at @stake, based in Cambridge, Mass. "These are not difficult attacks. Its just knowing where to look. You dont have to write any special tools."

And because SIP is built on the IP protocol, the SIP-based VoIP phones could also be susceptible to well-known IP attacks such as IP spoofing or replay attacks.

An attacker with administrative access could also cause a denial-of-service condition to an Xpressa phone by either changing the SIP listening ports; requiring authentication of incoming calls, in which case neither the caller nor the recipient is notified if the authentication fails; or assigning a port of 0 to the Web server.

Also, because the Web user interface is only protected by base64-encoded username and password pairs, anyone sniffing traffic between the Web interface and a phone would be able to see the login information in what is essentially clear text, @stake said.

In addition, there are several other operational issues that @stake identified, including the fact that the phones firmware can be upgraded without administrative access.

Pingtel has posted to its Web site a document called "Best Practices for Deploying Pingtel Phones," and has also written a detailed response to all of the issues the researchers raised. The company also recommends that customers upgrade to the 2.0.1 release of VxWorks, which addresses some of the vulnerabilities.

Pingtel plans two more software updates this year that will fix the remaining issues.

The full @stake advisory is available at www.atstake.com/research/advisories/2002/.