IP phone web interface security

Security of IP telephony systems is a hot topic at the moment, it has been for quite some time and is should always be at the forefront of anyone’s mind when setting up such a system.

There are loads of methods and applications for securing PBXs and the like but something I often see overlooked is security of the actual phones themselves.

The usual threat is someone obtaining SIP credentials by looking at the phone’s web interface. In some cases, IP phone devices have the password displayed in plain-text for all to see. Slightly better implemented GUIs have the password obfuscated when you look at the page but still readable by viewing the page source code in your web browser.

If ProVu ever become aware of any products we sell with either of these issues, we push the manufacturer make changes to hide the password at all times.

Further to this though, anyone installing IP phones should really set strong web interface usernames and passwords. I see phones put on public IP addresses or sometimes with port forwards (often for support purposes) that have no passwords set! This is like leaving the front door to your house wide open while you go out to work all day. Please remember to set a username and password. If a phone comes with a default username and password then do not leave this set as you can be certain the people who want to break into your phone will know default passwords for various phones.

ProVu can set usernames and passwords for phones using our provisioning services:

ProVu fulfilment services