It amazes me that VoIP carriers continue to make a very simple mistake: they setup an FTP server (which is good) to provide the configurations for their SIP Phones (such as PolyCom, and Aastra SIP phones) (which is also good), but they use the manufacturer’s default “PlcmSpIp” username and password on the servers (which is not ideal, but that’s debatable). (Google reports 411 web pages documenting “PlcmSpIp” on the Internet right now. 47 of them are published by “site:polycom.com”.)
But worst of all, they allow anyone in the world to FTP in using these well-publicized credentials, and then actually list all of the CPE configuration files in the directory using FTP. An attacker can then download these configuration files and:
- Steal phone service by registering using the credentials documented in the configuration file.
- Interrupt a legitimate customer’s phone service.
- In some cases, he may be able to stealthily intercept telephone calls going to and from the user.
There are a number of defenses against this type of exploit. First of all, don’t allow the PlcmSpIp (or any other user used by your customers) to actually view the contents of the directory via FTP. This makes it more difficult to download files, because attackers cannot directly view the list of SIP phones in your system. Instead, attackers are forced to guess the MAC addresses of the SIP phones in your system. You can then use approximate defenses, such as blocking users who attempt to download too many non-existent config files.
Protecting IP Phone configurations is one key element in a quality VoIP System Security Analysis.