Big Security Hole Discovered with Broadvox Direct

Recently launched service's configuration files left open to any web browser, allowing unauthorized use of customer phone lines.

Things just keep getting tougher for Broadvox Direct.

The Cleveland-based company first announced plans to roll out its consumer VoIP offering nearly a year ago, and after two missed launch dates, started signing up customers late last month. The company's president, Jeff Williams, has been promising for months that Broadvox's experience in enterprise VoIP would give it a leg up in competing with more established veterans.

It seems Broadvox may have once again misjudged the complexity of offering consumer quality VoIP service.

Today, a major security hole in Broadvox's service was uncovered. With nothing more complicated than a standard web browser, anyone on the Internet was able to download and view the configuration files of the 33 customers Broadvox has signed up to date, and the 152 accounts configured "pre-launch".

With that information it is possible to make phone calls that would be billed to another customer's account. Even more disturbing, with these settings and a standard SIP client, an attacker could "register" his own phone as someone elses and receive their incoming phone calls.

Discovery of the security hole came about quite innocently.

A user who was experiencing trouble with his new Broadvox service did a simple network trace to find the URL from where his unit was downloading configuration files. When the user pointed his browser to that location, he found a list of some 100 such files, each corresponding to a Broadvox customer.

Within 30 minutes of posting his findings on the Broadband Reports VoIP discussion forum other users had duplicated his efforts and succeeded in viewing the unencrypted authentication parameters assigned by Broadvox.

Luckily, this appears to be a case where the exploit was made public as soon as it was discovered, so Broadvox should be able to take steps to prevent abuse.

By 4 pm EST Saturday, the company shut down access to the web page conaining the user configuration files.

Williams, who did not return phone calls for comments, did post the following message on the Broadband Reports forum:

"While I am not yet prepared to make a statement on this issue I assure you that it is being addressed. I will have more to say on this subject at a later time."

Broadvox Direct distributes Sipura Technology's SPA-2000 telephone adaptors to its users. According to Sipura Marketing Director Sherman Scholten, the unit has built-in security measures to prevent unauthorized access to configuration files.

"Service providers have the ability to protect their configurations using various levels of security," said Scholten adding that, off-the-shelf, the Sipura unit supports two encryption algorithms with up to 256 bits of protection. "We've implemented several layers of security that can be used during the provisioning process."

Scholten said that the next major software release for the Sipura SPA-2000 will "incorporate a very sophisticated implementation of secure HTTP as an additional layer."

Ravi Sakaria, CEO and President of VoicePulse, a New Jersey-based internet telephone service provider that also uses the Sipura SPA-2000 says the unit is the "most secure adaptor available."

"Sipura has done a superb job of implementing security measures," said Sakaria. "But you can have the best security tools available and if you don't know how to use them, they're worthless."