If toasters talking to fridges is no joke to you, then you are aware of the big Internet of Things hype these days. While all kind of devices get connected and hacked, one of the oldest class of IoT devices seems to be forgotten even though it is literally everywhere - VoIP phones.

For configuration and management purposes, VoIP phones run a web application locally on the device. We found several critical bugs (reported CVEs) in the web application as well as in the webserver which enabled us to hijack the phones. Starting with simple XSS and CSRF issues, via command injections and memory corruptions right through to remote code executions, all popular vulnerability classes can be found on those devices.

We will present our findings together with the tools and strategies we used, and will enable you to do the same with your own phones and other IoT devices.

Further, we will provide helpful ARM shell code patterns, scripts and tricks which hackers can use to find bugs. We will conclude our talk by showing that automatic tools fail to discover such vulnerabilities. Therefore, manual IoT pentesting is still required.

If you think these management interfaces are not exposed to the internet, you are wrong. In a scan, we found thousands of reachable phones vulnerable to our exploits.

Stephan Huber
Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and IoT devices. He develops new static and dynamic analysis techniques for app security evaluation. He has found different vulnerabilities in well-known Android applications and the AOSP. He has delivered talks at conferences including DEF CON, HITB, AppSec and Virus Bulletin. In his spare time he enjoys teaching students Android hacking techniques.

Twitter: @teamsik
Website: www.team-sik.org

Philipp Roskosch
Philipp is a security researcher of the department Secure Software Engineering at Fraunhofer SIT (Germany). His research interests center on static and dynamic security analysis in the area of mobile apps and IoT devices. Besides research, he is a penetration tester in the same field. In his spare time, he enjoys hacking as a member of TeamSIK.