A result of sorts on a vulnerability we publicised a few weeks back. We won’t claim the credit, by the way.

The people at GNUCitizen alerted the world to a security hole in the management software for an office VoIP system that is fairly common in continental Europe, SNOM’s Model 320.

The issue was big enough for attackers to do a number of untoward things, including monitoring conversations in the room in which a particular hacked handset might be located, or just impersonating that handset ID.

GNUCitizen posted the proof-of-concept code, which together with the publicity we gave to the issue, appeared to give SNOM’s engineers a bit of a jump-start in dealing with the flaw. A response sent to Techworld promised the following pretty comprehensive actions:

“To minimise the risks we will take the following measures:

1. Publish an article on the topic, "How to I prevent security attacks against my snom phone" on our web page. This article will - at least for the immediate future - be linked to our home page.

2. We will address the topic in the newsletter for our partners and specialised dealers to ensure that each partner and dealer will be made aware of it.

We will make the following changes in new firmware versions:

3. Revise the flash applet.

4. Implement a "token" on the web interface that will prevent cross site attacks.

5. Give a warning on the web interface when no use name/password has been set.”

This is an excellent response from SNOM, and they deserve credit for taking the issue so seriously – eventually. It shouldn’t take publicity to get things moving.

The other moral is that VoIP telephony (or VoIP anything for that matter) introduces all sorts of vulnerabilities that wouldn’t have occurred in the world of simple telephones and the PSTN, but everyone knows that anyway so it’s annoying to point it out at all. [We’re ignoring the mad phone phreakers of lore who used to storm local exchanges but I doubt they did much harm to the average business.]