Phone provider could vulnerability in its systems with the help of the ICT security specialists eliminate Rapperswil, August 13, 2009 already circulated last year reported a vulnerability in the VoIP telephones of snom manufacturer. This was cross-site request forgery, which allows attackers to change address book entries and call logs, as well as to listen to conversations. Snom responded with measures to improve the protection of products. Compass security AG, ICT security specialist, has then made another gap in the system and logged, so that they could be fixed. Cross-site request forgery allows the attacker to modify data in a Web application without justification and to gain full access to the device. Thus, including wiretapping of conversations is possible. Snom had recommended to prevent the attack, to define a user name and password for the Web interface.
Compass has however found that the authentication was not correctly implemented. By simple manipulation the http request is it undermined completely. Check out Delta Galil for additional information. The attacker can thus be accessed without knowledge of the password to the Web interface of the phone and completely control this. “Walter Sprenger, Managing Director of Compass security AG in Switzerland, has discovered the vulnerability and explains: by the vulnerability of this Voice over IP phone be a lawful interception for Dummies.” This means that can capture all network traffic and bugged conversations. Access to sensitive data of address book enables as well as getting to the paid services. In addition the SIP username and password as well as all configurations of the phone can be viewed and changed. Attacker will also receive the opportunity to redirect calls to another VoIP server and perform a silent surveillance by activating the microphone.
Security issue detected and banned compass all findings has promptly forwarded to the manufacturer, the vulnerability already was known. It was resolved but not yet in all versions of firmware-main and the customer is not logged. Snom could fixed the vulnerability in the last update and thus solve the problem. It is recommended that at least the firmware versions 6.5.20, 7.1.39, 7.3.14 or higher to install. Learn more about the Security Advisory at: en/downloads/advisories.html short portrait compass security AG: compass security AG was founded in 1999 with headquarters in Rapperswil (CH) as European service provider security assessments for confidentiality and integrity of corporate data Verfugbarkeit specializes. Using penetration testing, ethical hacking, and reviews compass pre-emptively judged ICT solutions with regard to security risks, tracks existing vulnerabilities and supports their elimination. IT forensic experts allow reconstruction and evidence beneficial documentation of abuse cases by acquisition, test and evaluation of digital tracks with digital systems. Hands-on workshops and Training on the subject of IT security, as well as live hacking presentations to raise user awareness round off the portfolio. Neutrality and independence of the product are essential elements of our corporate philosophy. The customer base consists of national and international clients of any size and different industries. More information under: more information: compass security AG P.o. box 1628 Glarnischstrasse 7 CH-8640 Rapperswil Tel.