SySS security expert Moritz Abrell discovered vulnerabilities in IP telephony using the Zoom Zero Touch provisioning process in combination with Audiocodes 400HD phones. The German presented the results of the security analysis at this year’s Black Hat USA. According to the illustrations, attackers could eavesdrop on the content of conversations, form a botnet of infected devices or attack the networks in which they are operated by compromising the end devices.
Provisioning in the cloud without a corporate network
In order to reduce their attack surface, IP phones are usually provisioned in protected networks in order to distribute firmware and configurations to the devices. To simplify things, with cloud-based telephony solutions such as Zoom Phone, this initial provisioning takes place without going through a secure and specially prepared environment in the corporate or government network.
With Zoom Phone, the Zero Touch Provisioning process is used to assign end devices to users and the associated configurations. The end devices load the configuration accordingly from the server if they are in the factory settings and are initially started.
The chain of infection.
In the analysis, according to the analyst, any MAC addresses for the manufacturer’s phones could be stored via Zoom’s admin panel without proof of ownership of the associated device being requested. As a result, Zoom stores a redirection of the provisioning and configuration server to the Zoom server on the redirect server of the manufacturer Audiocodes – redirect.audiocodes.com. This enabled Abrell to assign a configuration template with a prepared firmware download URL to a new device via the Zoom administration. It was also possible to import multiple MAC addresses.
More vulnerabilities discovered
In addition, a check also revealed shortcomings when checking a firmware update. The associated checksum check could be outsmarted using a manipulated image. The phone thus installs a manipulated image after the download. In this way, attackers could, among other things, eavesdrop on conversations or penetrate internal networks.
Sensitive data such as configurations and passwords were also found during audits of the redirection paths of the Audiocodes servers. Users of the redirect service should therefore check whether their sensitive data is publicly available.
Although Abrell sent the notification to the manufacturers back in November 2022, some of the gaps are still open at the time of publication. SySS provides details on exploiting the vulnerabilities on its tech blog.
#telephony #vulnerabilities #provisioning #zoom #audio #codes