RSA: Default settings threaten VoIP security, experts warn

VoIP gear from major vendors can be made secure, but it doesn’t come out of the box that way, experts warned at RSA Conference 2007.

Default settings are the enemy that needs to be dealt with before turning up a VoIP system, according to David Endler, director of security research for TippingPoint, and Mark Collier, CTO of SecureLogix who presented their research on VoIP security at the conference. Both are members of the VoIP Security Alliance, an industry group trying to promote better VoIP security.

Leaving IP phone settings at default can lead to trouble because many phones have Web servers included that can let hackers see valuable information. If these servers have access to the Internet, then Google indexes them. Hackers then direct their browsers at the VoIP devices and probe for data including the address of the VoIP server it is associated with, according to Endler.

Some of these servers have packet-capture as a feature so a compromised phone could bug itself. “That would let you download conversations off the device,” says Endler.

Vendors’ default voicemail answering messages are unique, so calling the system and listening to the message can tell hackers what brand IP phone system is being used and they can tailor their reconnaissance and attacks accordingly. Phones with default passwords pose even more of a threat, he says.

The remedy is to disable the Web servers on phones, change passwords and record new voicemail greetings,

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now