Gentlemen, lock up your SIP devices!
Since I acquired a wonderful little SIP device called the PAP2T I have spent a great amount of time to get it to work just the way I want it to with its hundreds and hundreds of configuration possibilities. Something I also noted is that it ships without any kind of password protection. (Not even the de facto admin/admin standard.) Since SIP is a protocol that requires carefully chosen ports to be forwarded for it to function properly, a lot of sites advise you to put your devices on DMZ, or even to plug them directly into the modem. This may make your device work properly, but has the nasty side effect of exposing some of your personal information on the internet. A malicious attacker could easily find out your name and phone number, but the really frightening part is that the web interface shows the last outgoing and incoming calls, which if monitored on a regular basis over time with a simple script could reveal your entire calling history. Not only is this a huge breach of privacy, but it is also a gateway into identity theft – imagine a crook that not only knew your name and phone number, but also the number of your bank, your physician and everyone else you know and call.
A very simple composed search on Google currently reveals over seventy individuals with exposed PAP2T devices and the majority of these have not even set a password for the Administrators area, which gives anyone on the internet the opportunity to edit their settings at their convenience.
But there are many solutions, and they are all relatively simple. If you don’t feel like messing around with port forwarding, many devices support the ability to disable the web interface by calling a certain number from one of the connected phones. (**** -> 7932# -> 1 or 0# to toggle on/off on the PAP2T) An even simpler option is of course to password-protect your device. A third option is to change the port from the default 80 (HTTP) to an arbitrary number (Although you should stay away from port 443)
As the internet revolutionizes our means of communications, we must never forget that it is a very open place, and that leaving your door unlocked could lead to bad things – whether you do it on the internet or in real life.