Another beautiful blog post by consider it:

Our response to the BBC snom VoIP Phone Article

Posted on the 16 February, 2016 at 9:11 am Written by in IT Security

There’s an article on the BBC news website that popped up yesterday that took our interest. It states that a “hack” lets phones “eavesdrop and make premium calls”. This was obviously a great concern for us, as it named our primary vendor, snom, as the manufacturer whose phones were used in the research.

The article can be seen on the BBC website here: http://www.bbc.co.uk/news/technology-35579273

What we can’t understand is why the BBC chose to publish such a non-story. What this “security hack” boils down to is not changing the administration page password from the default. Yes, you heard right. The only security flaw is not setting an admin password for managing the settings on the phone.

In fact, if you ignore the fact they used old firmware to carry out their tests and you perform that exact same test on firmware that isn’t old (and was only a beta release) the phone itself prompts you on the screen at every opportunity to set an Admin password.

So really, if you’ve configured your VoIP phone for making and receiving calls and you haven’t bothered to set an admin password, more fool you.

Thankfully, all of the snom phones we provision for our clients have a secure password set on them prior to delivery on site. You can tell this is the case because if you take a quick glancing look at your screen it isn’t going crazy that a password isn’t set.

So for this “hack” to work:

  1. You need to be running old firmware (by the way, when going to download it from the snom site, says “8.7.5.13 is a deprecated / unsupported versoin! Use at your own risk…”)
  2. You then need to provision your phone to make calls on a VoIP platform whilst neglecting to set an admin password
  3. You then need someone on your local network interested enough to take advantage of the fact you’ve done steps A and B and also wants to eavesdrop on you or make premium rate calls

VoIP is still an emerging technology and it’s such a shame that a business that’s meant to be on the forefront of technology has chosen to report on such a non-issue as this one. Compare it to setting up a new router for your internet connection without changing the default web admin password. It really is no different.

Lastly, just to touch on the Premium Calls part of their article where they suggest there could be toll fraud carried out (which is true), this isn’t the case on our Hosted VoIP Platform. Why? We block all premium rate numbers! :)