After my Snom VoIP phone hacked article, I received a response from snom indicating that the vulnerability had more to do with a user not setting a password on the IP phone than any sort of bug or vulnerability in the snom firmware itself. Well that's certainly good news. I guess users or IT administrators that don't set passwords on the IP phones have only themselves to blame if their phones are hacked. This direct from Snom... CVE-2008-1248:
Yes, you can send an HTTP-POST to the phone and let it dial a number. But you can protect your phone by setting a password. If you set a password then nobody can post an HTTP request to dial a number. The statement in the referred web site that Snom phone don't support passwords is wrong. You can set a password to protect your phone. And you should do it if your phone is connected to the Internet directly. Our next firmware release will warn the user that no password is set and that his phone is vulnerable. This is not a real vulnerability, so we can't say a particular firmware is affected, since you can avoid it by setting a password CVE-2008-1249:
Yes, this is possible right now when the flash plugin is enabled. But the flash plugin is not enabled by default in current firmwares. So a phone is not vulnerable unless you enable the flash plugin. But you can protect your phone by setting a password like for CVE-2008-1248. Our next firmware release will warn the user that no password is set and that his phone is vulnerable. Our release after the next will change the flash plugin so that this isn't possible any more. This is not a real vulnerability, so we can't say a particular firmware is affected, since you can avoid it by setting a password CVS-2008-1250:
Yes, Snom phone are vulnerable to cross-site request forgery (CSRF). All firmware up to V7.1.30 are affected. We have changed our web frontend. It uses tokens and html-encoding for values entered in input fields now. Our next firmware release will not be vulnerable to CSRF any more. CVS-2008-1251:
Yes, Snom phone are vulnerable to Cross-site scripting (XSS). All firmware up to V7.1.30 are affected. We have changed our web frontend. It uses tokens and html-encoding for values entered in input fields now. Our next firmware release will not be vulnerable to XSS any more. We also created a website:
http://www.snom.com/javascriptsecurity.html

Tags: hack, HTTP-POST, IP phones, Snom, VoIP, vulnerability

Related Entries
• snom VoIP phone hacked - Feb 12, 2008
• Asterisk Security Vulnerability in SIP Channel Driver - Jan 03, 2008
• No Skype for Apple iPhone - Jun 27, 2007
• XO Anywhere Enhanced Mobile Features - Apr 14, 2008
• Plantronics SupraPlus HW251N-USB Wideband Headset - Apr 11, 2008
• ISPBX Launches Asterisk appliances with CogoBlue Asterisk GUI - Apr 10, 2008
• PhoneFromHere.com & Digium Ink 5 Year Deal - Apr 09, 2008
• Packet8 Virtual Office Adds Salesforce.com VoIP Plugin - Apr 09, 2008
• C2Call - New browser-based Java VoIP app - Apr 03, 2008
• JAJAH Mobile VoIP client for the iPhone - Apr 02, 2008

Comments on this Entry: (Mike on Mar 31, 2008 12:41 PM) Yes, of course setting the password protects the phones from getting hacked. Its good to have passwords especially for the phones having snom VoIP. This should be done carefully. (Mike on Apr 1, 2008 11:24 AM) It is a necessary to set passwords to your IP because if not they can be hacked and we face lots of problems.