{"id":512,"date":"2009-01-27T16:37:07","date_gmt":"2009-01-28T00:37:07","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=512"},"modified":"2009-01-27T20:07:00","modified_gmt":"2009-01-28T04:07:00","slug":"verizon-voip-house-phone-hub","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/27\/verizon-voip-house-phone-hub\/","title":{"rendered":"Verizon VoIP House Phone Hub"},"content":{"rendered":"<p class=\"MsoNormal\"><!--[if gte mso 9]&gt;  Normal 0     false false false  EN-US X-NONE X-NONE               MicrosoftInternetExplorer4              &lt;![endif]--><!--[if gte mso 9]&gt;                                                                                                                                            &lt;![endif]--><!--  \/* Font Definitions *\/  @font-face \t{font-family:PMingLiU; \tpanose-1:2 2 3 0 0 0 0 0 0 0; \tmso-font-alt:\u65b0\u7d30\u660e\u9ad4; \tmso-font-charset:136; \tmso-generic-font-family:roman; \tmso-font-pitch:variable; \tmso-font-signature:3 135135232 22 0 1048577 0;} @font-face \t{font-family:\"Cambria Math\"; \tpanose-1:2 4 5 3 5 4 6 3 2 4; \tmso-font-charset:0; \tmso-generic-font-family:roman; \tmso-font-pitch:variable; \tmso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face \t{font-family:Calibri; \tpanose-1:2 15 5 2 2 2 4 3 2 4; \tmso-font-charset:0; \tmso-generic-font-family:swiss; \tmso-font-pitch:variable; \tmso-font-signature:-1610611985 1073750139 0 0 159 0;} @font-face \t{font-family:\"\\@PMingLiU\"; \tpanose-1:2 2 3 0 0 0 0 0 0 0; \tmso-font-charset:136; \tmso-generic-font-family:roman; \tmso-font-pitch:variable; \tmso-font-signature:3 135135232 22 0 1048577 0;}  \/* Style Definitions *\/  p.MsoNormal, li.MsoNormal, div.MsoNormal \t{mso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-parent:\"\"; \tmargin-top:0in; \tmargin-right:0in; \tmargin-bottom:10.0pt; \tmargin-left:0in; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:PMingLiU; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:ZH-TW;} a:link, span.MsoHyperlink \t{mso-style-priority:99; \tcolor:blue; \ttext-decoration:underline; \ttext-underline:single;} a:visited, span.MsoHyperlinkFollowed \t{mso-style-noshow:yes; \tmso-style-priority:99; \tcolor:purple; \tmso-themecolor:followedhyperlink; \ttext-decoration:underline; \ttext-underline:single;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmargin-top:0in; \tmargin-right:0in; \tmargin-bottom:10.0pt; \tmargin-left:.5in; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:PMingLiU; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:ZH-TW;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-type:export-only; \tmargin-top:0in; \tmargin-right:0in; \tmargin-bottom:0in; \tmargin-left:.5in; \tmargin-bottom:.0001pt; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:PMingLiU; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:ZH-TW;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-type:export-only; \tmargin-top:0in; \tmargin-right:0in; \tmargin-bottom:0in; \tmargin-left:.5in; \tmargin-bottom:.0001pt; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:PMingLiU; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:ZH-TW;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-type:export-only; \tmargin-top:0in; \tmargin-right:0in; \tmargin-bottom:10.0pt; \tmargin-left:.5in; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:PMingLiU; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:ZH-TW;} .MsoChpDefault \t{mso-style-type:export-only; \tmso-default-props:yes; \tfont-size:10.0pt; \tmso-ansi-font-size:10.0pt; \tmso-bidi-font-size:10.0pt; \tmso-ascii-font-family:Calibri; \tmso-fareast-font-family:PMingLiU; \tmso-hansi-font-family:Calibri;} @page Section1 \t{size:8.5in 11.0in; \tmargin:1.0in 1.0in 1.0in 1.0in; \tmso-header-margin:35.4pt; \tmso-footer-margin:35.4pt; \tmso-paper-source:0;} div.Section1 \t{page:Section1;}  \/* List Definitions *\/  @list l0 \t{mso-list-id:297691705; \tmso-list-type:hybrid; \tmso-list-template-ids:609635890 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 \t{mso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-.25in;} @list l1 \t{mso-list-id:556939295; \tmso-list-type:hybrid; \tmso-list-template-ids:1750097356 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l1:level1 \t{mso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-.25in;} @list l2 \t{mso-list-id:1048340858; \tmso-list-type:hybrid; \tmso-list-template-ids:334277770 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l2:level1 \t{mso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-.25in;} @list l3 \t{mso-list-id:1723558904; \tmso-list-type:hybrid; \tmso-list-template-ids:-847460932 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l3:level1 \t{mso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-.25in;} @list l4 \t{mso-list-id:1945109159; \tmso-list-type:hybrid; \tmso-list-template-ids:-152909740 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l4:level1 \t{mso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-.25in;} ol \t{margin-bottom:0in;} ul \t{margin-bottom:0in;} --><!--[if gte mso 10]&gt; &lt;!   \/* Style Definitions *\/  table.MsoNormalTable \t{mso-style-name:\"Table Normal\"; \tmso-tstyle-rowband-size:0; \tmso-tstyle-colband-size:0; \tmso-style-noshow:yes; \tmso-style-priority:99; \tmso-style-qformat:yes; \tmso-style-parent:\"\"; \tmso-padding-alt:0in 5.4pt 0in 5.4pt; \tmso-para-margin:0in; \tmso-para-margin-bottom:.0001pt; \tmso-pagination:widow-orphan; \tfont-size:10.0pt; \tfont-family:\"Calibri\",\"sans-serif\";} -->Nowadays, traditional phone service is not widely used. As stated in an <a href=\"http:\/\/www.technewsworld.com\/story\/65959.html\">article<\/a> from <a href=\"http:\/\/www.technewsworld.com\/\">http:\/\/www.technewsworld.com<\/a>, \u201cVoIP phones are growing in popularity &#8212; and 20 to 25 percent of customers are canceling home phone service.\u201d In order to maintain Verizon\u2019s customers and compete with other companies like the table television companies, Verizon launches VoIP house phone hub that provides many special features.<\/p>\n<p class=\"MsoNormal\">This VoIP phone requires a router to plug into it. VoIP house phone handset can connect to its hub which offers applications such as navigation. The hub has constant Web connection; in the meantime, it is capable of browsing local traffic, weather reports, and online calendaring.<\/p>\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\"><strong>Assets and security goals<\/strong><\/p>\n<ul>\n<li>The first asset is to make      it easier for busy family to manage their schedule. As stated in the      summary, VoIP is capable for navigating, managing schedule, viewing weather,      current traffic, and also works as usual phone.<\/li>\n<li><!--more-->The device\u2019s wireless has      to be secure. The wireless for this VoIP phone is used for navigator to      the Verizon wireless phone. Thus, if the wireless is not secure, third      party can hack into it and give wrong direction to the user and could      direct them to dangerous places.<\/li>\n<\/ul>\n<p class=\"MsoNormal\"><strong>Potential adversaries and threats<\/strong><\/p>\n<ul>\n<li>Since the VoIP has constant web connection, there is plenty of time that the attacker can try different technique of getting the user&#8217;s private data. The attacker can get their voice mail, contact list or their calendar.<\/li>\n<li>The VoIP provides a      companion Website that the use can change the calendar or added new      contacts which will be synchronized to the VoIP phone hub. If a malicious person      has access to the account, he\/she would be able to change the content or      even delete the important contact list.<\/li>\n<li>Ticket-buying is a good      feature for the VoIP house phone hub; however, it is possible that the      hackers can buy many of tickets that increase the expense for the user.<\/li>\n<li>The Verizon Wireless phone can get the navigations from the VoIP.<span> <\/span>However, if the attacker compromises the system, he\/ she can direct the user to the wrong place or dangerous location.<span> <\/span><\/li>\n<\/ul>\n<p class=\"MsoNormal\"><strong>Potential weakness<\/strong><\/p>\n<ul>\n<li><!--[if !supportLists]--><span><\/span><!--[endif]-->There could be an insider threat. The employee might write code that makes them easily get access to the user databases or own the administrator privilege for the system.<\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><span><span style=\"font-family: &quot;Times New Roman&quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;\"> <\/span><\/span><\/span><!--[endif]-->For the companion website, if password is required, this can be the weakness. It is because that for the home phone system, people will use weak password combination since the whole family need to memorize the password.<\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><\/span>The V Cast content will be available on the hub to display picture if phone is not in use. The attacker could potentially steal the personal pictures or abuse their display for bad pictures.<\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><\/span>Since there is wireless communication between phone hub and handsets, if the data is not encrypted, there is a possibility for a malicious person to acquire the data.<\/li>\n<\/ul>\n<p class=\"MsoNormal\"><strong>Potential defenses<\/strong><\/p>\n<ul>\n<li><!--[if !supportLists]--><span><\/span><!--[endif]-->Verizon VoIP home phone hub allows the users to have their contact list and change their calendar schedule online. Thus, in order to be able to change the contact list or the calendar, they have to type in password. This way, it is harder for the third party to mess with it.<\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><\/span>Wireless is unsecured. Thus, they have to do encryption in order to have a safe wireless file transfer. By doing encryption, third party will have to decrypt the file first in order to alter the data.<\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><\/span>Verizon VoIP home phone can also preview local movies and it allows the user to buy tickets through it. This can be a big disadvantage for the users if people hack into the system and buy tickets from by using their phone. This will cause an increased in financial cost. In order to prevent this, there should be a limitation for purchasing tickets.<\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><\/span>Calendar and contact list are important for users. They would not want a third party to take a look at their schedule or contact list or change them. Thus, one way to avoid that is for the user to register using their email address and cell phone number in order to activate this phone. By doing this, the system could send notification to users\u2019 email and cell phone if they or other people change their calendar or contact list.<\/li>\n<\/ul>\n<p class=\"MsoNormal\"><strong>Risk<\/strong><\/p>\n<ul>\n<li><!--[if !supportLists]--><span><\/span>As mentioned above, the VoIP can be used as navigator. This can lead to a risk that the user is being directed to a dangerous place.<span> <\/span><\/li>\n<\/ul>\n<ul>\n<li><!--[if !supportLists]--><span><\/span><!--[endif]-->Since the calendar can be changed online and will be updated to the phone hub, the attacker can attack the web system to modify the entries. If there is an important appointment that being changed, the user could potential lose their business contract or lose their reputation.<\/li>\n<\/ul>\n<p class=\"MsoListParagraphCxSpLast\">\n<p class=\"MsoNormal\"><strong>Conclusions<\/strong><\/p>\n<p class=\"MsoNormal\">Using Verizon VoIP home phone hub may be convenient for many people. Calendar, contact list, viewing weather, buying movie tickets, and some other features are all in this phone. However, there is trade-off from this. As modern as security system is in Verizon\u2019s VoIP, users also have to be aware of the worst case of using it. Awareness is the most important key to prevent bad things to happen.<\/p>\n<p class=\"MsoNormal\">\n","protected":false},"excerpt":{"rendered":"<p>Nowadays, traditional phone service is not widely used. As stated in an article from http:\/\/www.technewsworld.com, \u201cVoIP phones are growing in popularity &#8212; and 20 to 25 percent of customers are canceling home phone service.\u201d In order to maintain Verizon\u2019s customers &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/27\/verizon-voip-house-phone-hub\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":110,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-512","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/110"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=512"}],"version-history":[{"count":7,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/512\/revisions"}],"predecessor-version":[{"id":518,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/512\/revisions\/518"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}