July 23, 2002

w3 0wn ur f0n3

eweek.com reports that security researchers (read: hackers) at @stake have discovered many serious security flaws in one of the most popular brands of voice-over-IP phones, Pingtel's xpressa SIP PX-1. Among the flaws: shipping the phones without an administrative password (then allowing the password to be set remotely!), transmitting login information in cleartext, and lack of support for HTTPS. Once you 0wn the phone, you can do things like drop calls, change speed-dial settings, divert calls to another SIP phone, and DOS the phone in a dozen different ways. But the fun has just begun--you're now the prowd 0wn3r of a "POSIX compliant network device with storage space, bandwidth and a CPU." Another minion to do your blackhat bidding!

I submitted this (edited for brevity) to Slashdot; they didn't think it was good enough. Fortunately, we at the Reserved Space aren't constrained by things like standards.

Posted by Chris at July 23, 2002 03:42 PM

Category: Corporate Stupidity