This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.bbc.co.uk/news/technology-35579273

The article has changed 4 times. There is an RSS feed of changes available.

Version 0 Version 1
Phone software bug 'eavesdrops and makes premium calls' Phone software bug 'eavesdrops and makes premium calls'
(about 4 hours later)
A software bug can enable scammers to eavesdrop on phone conversations and make high-cost calls on other people's lines, security experts have shown.A software bug can enable scammers to eavesdrop on phone conversations and make high-cost calls on other people's lines, security experts have shown.
The problem affects voice-over-internet-protocol (Voip) phones, commonly used by businesses.The problem affects voice-over-internet-protocol (Voip) phones, commonly used by businesses.
Snom, the manufacturer whose phones were used in the research, has said the attack affects outdated software.
A spokesman said the tested firmware was "never in wide circulation".
The researcher carried out tests on a phone that was reset to "default" factory settings.
Just by running a couple of lines of code on a website visited by the phone user, the researchers demonstrated how premium-rate calls could be made.Just by running a couple of lines of code on a website visited by the phone user, the researchers demonstrated how premium-rate calls could be made.
A security expert said such bugs could make "millions" for the perpetrators.
By exploiting the fact that Voip phones and desktop computers are connected to the same internet network at many organisations, attackers are often able to access the phones themselves and operate them without the owner becoming aware.By exploiting the fact that Voip phones and desktop computers are connected to the same internet network at many organisations, attackers are often able to access the phones themselves and operate them without the owner becoming aware.
"It's incredibly easy to do," said security researcher Per Thorsheim, who was involved in the demonstration by fellow researcher Paul Moore."It's incredibly easy to do," said security researcher Per Thorsheim, who was involved in the demonstration by fellow researcher Paul Moore.
'Pay to be eavesdropped' Snom response
Mr Thorsheim explained that the phone could be compromised if the user visited a web page containing a couple of lines of Javascript web code However, a spokesman for Snom said, "Snom's internal investigation reveals that the desktop telephone used in Mr. Paul Moore's experiment was an old 2008 telephone model utilizing outdated beta firmware... which was never in wide circulation.
This code was designed to launch the attack on a device made by phone hardware manufacturer Snom. "The latest and current firmware is version 8.7.5.35 and there have been multiple firmware releases since the outdated beta release."
"It will charge you a pound a minute and I will listen to whatever is being said close to your phone - you will be paying me to be eavesdropped," he told the BBC. The spokesman added that Snom telephones by default request that both users and network administrators set a password during installation.
Mr Thorsheim added that it was relatively easy to update the phone's security settings to prevent this. "If a password is not set, a continuous non-stop, endless visual warning on the device's display is illuminated," he said.
However, he pointed out that most companies would probably not go to that trouble, as the phones operated perfectly well without making the security changes. Mr Thorsheim explained that the tested phone could be compromised if the user visited a web page containing a couple of lines of Javascript web code.
Prof Alan Woodward, a security expert at the University of Surrey, said it was a "significant problem" and pointed out that by using online tools he was able to find many examples of phones that could be accessed using the method. Prof Alan Woodward, a security expert at the University of Surrey, said attacks on Voip phones were a "significant problem" and pointed out that by using online tools he was able to find many examples of phones that could be accessed using the method.
"The one we do know where it's being used a lot is premium-rate scams," he told the BBC."The one we do know where it's being used a lot is premium-rate scams," he told the BBC.
"They use your phone to dial a premium-rate number. There's a lot of that going on - we're talking millions being made out of that.""They use your phone to dial a premium-rate number. There's a lot of that going on - we're talking millions being made out of that."
Widespread issueWidespread issue
The practice of using phone lines paid for by companies to make expensive calls for little or no fee is thought to be increasingly common, according to research by security consultancy Nettitude.The practice of using phone lines paid for by companies to make expensive calls for little or no fee is thought to be increasingly common, according to research by security consultancy Nettitude.
In a report last year, it said that the UK was particularly badly affected.In a report last year, it said that the UK was particularly badly affected.
Prof Woodward said the issue was similar to other flaws found in internet-connected devices and warned that with the rise of the Internet of Things, similar tricks were likely to become more and more common.Prof Woodward said the issue was similar to other flaws found in internet-connected devices and warned that with the rise of the Internet of Things, similar tricks were likely to become more and more common.
"It's a huge wake-up call to anybody who's building devices with embedded software," he said."It's a huge wake-up call to anybody who's building devices with embedded software," he said.
A spokeswoman for Snom said that the firm was investigating the issue.