DEF CON 27 - Stephan Huber - Im on Your Phone Listening Attacking VoIP Configuration Interfaces

HackersOnBoard
HackersOnBoard
5,211
0
Published 2019-12-05
If toasters talking to fridges is no joke to you, then you are aware of the big Internet of Things hype these days. While all kind of devices get connected and hacked, one of the oldest class of IoT devices seems to be forgotten even though it is literally everywhere - VoIP phones.

For configuration and management purposes, VoIP phones run a web application locally on the device. We found several critical bugs (reported CVEs) in the web application as well as in the webserver which enabled us to hijack the phones. Starting with simple XSS and CSRF issues, via command injections and memory corruptions right through to remote code executions, all popular vulnerability classes can be found on those devices.



We will present our findings together with the tools and strategies we used, and will enable you to do the same with your own phones and other IoT devices.



Further, we will provide helpful ARM shell code patterns, scripts and tricks which hackers can use to find bugs. We will conclude our talk by showing that automatic tools fail to discover such vulnerabilities. Therefore, manual IoT pentesting is still required.



If you think these management interfaces are not exposed to the internet, you are wrong. In a scan, we found thousands of reachable phones vulnerable to our exploits.
All Comments (3)
  • @HackersOnBoard
    Hello dear friends We get notified of the censorship of our channel by the new YouTube Guidelines (who change every 6 months) because of "Content reusing without including substantial original commentary or educational value" This is a little bit tricky because these Guidelines wasn't there in 2013, 2014, 2015 and so on... It is abnormal to change the rules during a game ...even more before Christmas! Since 2013 we are trying to share the best Security Conference on our channel and we need your help to keep it up. As you already know I was fighting the disease since the last 2 years and it's difficult and without resource and support I wouldn't be able to keep up on this way. You can support us on Patreon if you find our work valuable. You can also express your dissatisfaction regarding our situation to Youtube on Twitter, Facebook, Instagram and wherever you can. to help us regain our rights. Your support in anyway will be truly appreciated Thanks guys for taking time reading me and stay tuned! Merry Christmas to you all and God bless you all! www.patreon.com/HackersOnBoard Bitcoin Wallet: 1NWM4upgKj8iF7zknzmnHG8Mm2pvAyTHqc
  • @MrThefatheroftheyear
    What happened to you?!? Why no uploads in over a year? Did you know too much er what??...