Dial V for Vulnerable: Attacking VoIP Phones

Presented at 44CON 2019, Sept. 12, 2019, 1:30 p.m. (59 minutes)

More and more everyday objects become “smart” and get connected to the internet. VoIP phones are among the oldest class of smart devices. Despite new phones being constantly released, most of these devices contain cheap hardware components and badly programmed software. Their state of security is often questionable, or worse. We show that most phones suffer from serious security flaws that allow attackers to gain full control of these devices. Such hijacked devices not only allow the attacker to eavesdrop on all communication, but can serve as an entry point for further attacks to the internal networks they are connected to. VoIP phones can be found on each enterprise desk, in critical infrastructure buildings, at home and other places where phone communication is required. Therefore, security flaws on such a device can have far-reaching consequences, especially when transmitting sensitive or private information. We present critical vulnerabilities and various classes of security flaws that allow an attacker to fully compromise the respective device. We were able to cause a denial of service, to eavesdrop on conversations, and to gain remote code execution on the phone. In our investigation, we focused on the web-based user interface that most phones provide for configuration and management purposes. We present different test setups for analyzing the software running on those phones, including emulation and live debugging. Furthermore, we reveal strategies and tools for finding these flaws. To complete the presentation, we compare our manually detected vulnerabilities to results of different automated firmware security analysis systems. As we show, automated scanners are unable to find most of these vulnerabilities and leave systems widely unprotected.

Presenters:

• Stephan Huber
  Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. He gave talks on conferences like DEF CON, HITB, AppSec or VirusBulletin. In his spare time he enjoys teaching students in Android hacking.
• Phillip Roskosch
  Philipp is a security researcher of the department Secure Software Engineering at Fraunhofer SIT (Germany). His research interests center on static and dynamic security analysis in the area of mobile apps and IoT devices. Besides research, he is a penetration tester in the same field. In his spare time, he enjoys hacking as a member of TeamSIK.

Links:

• https://44con2019.sched.com/event/TdfO/phillip-roskosch-stephan-huber-dial-v-for-vulnerable-attacking-voip-phones
• https://infocon.org/cons/44CON/44CON 2019/Dial V For Vulnerable Attacking VoIP Phones - Phillip Roskosch and Stephan Huber.mp4

Similar Presentations:

• Black Hat Europe 2014 / Gyrophone: Eavesdropping Using a Gyroscope
• DEF CON 27 (2019) / I'm on your phone, listening - Attacking VoIP Configuration Interfaces
• DEF CON 16 (2008) / VoIPER: Smashing the VoIP Stack while you sleep