Lack of Attention Could Plague VoIP Devices

Today, almost all administrators know they need to secure their networks to prevent leaking useful information and to avoid attacks. They can take steps as basic as disabling null sessions and enabling the firewall on Windows XP to prevent unauthorized access. However, there remain areas of security that are neglected.

Last week, I read some documents on Cisco’s IP phone model 7960 and found that the phone’s web interface gives up a lot of sensitive network information. Then I wondered whether I could find a Cisco IP phone publicly accessible by Google, so I ran a search to look for publically accessible web interfaces. Guess what, there were almost 10 publicly accessible Cisco IP phones listed. I followed these links to where I could get the firmware versions, and then I searched in vulnerability databases and found that at least one IP phone’s firmware was unpatched and contained some vulnerabilities. Also, the information on Google leaked some sensitive information–such as IP addresses of the TFTP server/router/DNS server/DHCP server/Cisco Call Manager, as well as some application links, internal device configuration, and debugging information. If there are any exploitable vulnerabilities in one of these linked servers, attackers could use this information to stage further attacks.

Highly sensitive information needn’t and shouldn’t be easily exposed on the web. At the least, the firewall on the network edge should be configured to filter unwanted access to Port 80 of these VoIP devices. The less information you disclose, the more secure you are.