First page Back Continue Last page Graphics
Configuration Disclosure: Infrastructure
Vulnerability:
- Most hard-phones use FTP or TFTP when booting
- FTP is an insecure protocol
- TFTP is an even more insecure protocol
Attack:
- FTP: Observe the device’s login credentials
- TFTP: Guess or observe filenames
- Grab the configuration file and firmware from the server
- Or just reconstruct the firmware / configuration file from observation
Effect:
- Disclosure of sensitive information such as:
- Usernames / Passwords
- Call Server, Gateway, Registration Server, etc.
- Available VoIP services