Phones Aren't Safe Either, Hackers Say: "

Hacking VoIP is easy, says John Kindervag, and it gets you well past the phone. Using penetration tests propounded by a tool called VoIP Hopper, he and partner Jason Ostrom got well past the phone into the corporate systems that support it from hotel rooms, corporate offices and so on.

‘The whole catalyst behing VoIP Hopper is we were in a hotel room with a Cisco phone,’ Ostrom says. ‘We were (able to get) into the (hotel's) corporate network and got access to their financial and corporate network and recorded other phone calls.’

Of course, he says, they destroyed the data after the attack. Using ‘a really advanced hacker technique,’ - unplugging the phone and plugging in a PC, VoIP hopper mimics the Cisco data packets sent at three minute intervals and then trades a new Ethernet interface, getting the PC into the network running the VoIP.

‘People tell us VoIP is secure by default,’ Ostrom says. ‘But a regular PC should never have access to it.’

The configuration used by Avaya is superior to Cisco, they say, because you have to send requests beyond a sniffer. But it can be breached the same way, by unplugging the phone and plugging in a PC. Most VoIp users aren’t set up to keep their data secure from an attack launched through VoIP.

‘In seven environments that we looked at, not one customer had a firewall between voice and data,’ Ostrom says. ‘We’ve toasted so many of these networks it’s not funny. VLAN is never, never a secure network.’

(Read Original Article - Via Threat Level.)