Lending some credence to the idea that VOIP hacking will increase in 2008 is the hacking of Cisco phones that occurred on a hotel network earlier this year (the exploit is described here. Cisco has now confirmed that this exploit is possible (Cisco's response is here.
Lending some credence to the idea that VOIP hacking will increase in 2008 is the hacking of Cisco phones that occurred on a hotel network earlier this year (the exploit is described here. Cisco has now confirmed that this exploit is possible (Cisco's response is here.In its response, Cisco notes 3 conditions that must be present for the attack to be possible:
* The internal web server of the IP phone must be enabled. The web server is enabled by default.
* The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
* The attacker must possess or obtain valid Extension Mobility authentication credentials.
* The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
* The attacker must possess or obtain valid Extension Mobility authentication credentials.
Not surprisingly, Jonathan Rosenbaum of Cisco addressed some of these issues, in more general terms, at Interop in New York last October. Jonathan specifically spoke to the issue of having Web servers on phones, and said, "You've got to treat it [the phone] as a computer that's been deployed out there."
I think that's the critical point: If exploits increase, it'll be in large part because the people who deploy VOIP networks and all of their component parts treat those parts as if they're exact equivalents to the TDM gear they replace. Functionally, there may not be much change--a fact that's occasioned some grumbling and given Unified Communications advocates a marketing opening--but as these exploits show, network elements like phones are, in fact, very different animals in the VOIP world than TDM.
