During this years Astricon, Eric Klein and myself were entrusted with the task of helping to organize and execute the Asterisk Security Master Class. The purpose of the Master Class was to enrich the conference participants with additional knowledge regarding VoIP Security, in general, and Asterisk Security in particular. One of the slides in my presentation (we will upload these within the next few days) indicated the fact that many admins don’t bother to change their IP phone’s default password and login.

One of the participants, rightfully said: “Comm’on, do you honestly want us to believe that people don’t change their password? and even so, how would you find that device on the Internet?” – immediately we replied: ShodanHQ. Point your browser at Shodan (www.shodanhq.com) and enter the following as your query string: “Polycom port:80 country:US” – what we are basically asking is for Shodan to give us a list of devices, exposing a port 80 to the world with the world Polycom in their headers or response string. You will notice that you get a “short” list of over 20,000 devices Shodan had traced.

Now, let’s do a small test – take an IP number from the result list and put it into your browser. If you get a Polycom SoundPoint screen:

Now, click on the “Lines” section and you will be greeted with a Username/Password dialog. Try the following credentials: Polycom and 456 as your password – these are the default Polycom credentials. Amazingly enough, we found at least 4 of these from the first 10 search results – all from reputable sources. Total time from start to hack, less than 90 seconds.

The scary part here is not the fact it can be done, is that it was done during one of the conference sessions – by 3 different people – all of which didn’t have any knowledge of the Shodan Engine prior to that session.

Is the phone a potential target? not really, well, depending on the phone to be more exact. However, the phone possesses information that is – specifically, SIP credentials. Let’s take a look at what we found here:

So, we now have the SIP Server address, the user credentials and the person’s name. From this point, a potential can utilize this information in order to brute-force the password, get information from the person himself, call the institute’s support center and impersonate that person, etc. Pay attention to the “Address” field, we now know the Server’s IP number that is used for this phone. So, we have an IP number, a valid username, the institute of which the phone belongs to (obtained from Shodan), and from “Calls Per Line” we can say that we can make 24 concurrent calls. We just need to hack that phone’s account – and we’ll have a full T1 at our disposal.