Reading recently about Snom releasing a new phone with IPSec VPN capabilities started me thinking about the incredible processing power that embedded devices have these days. It wasn’t so many years ago that IP phones couldn’t offer encryption due to the high CPU demands, but as each passing month goes by, the clock rates go up, new CPUs come out, while the prices go down. Nokia advertised their new N95 smartphone recently, proclaiming that this is “what the computer has become”, and this is actually true. The navigation computer on the Apollo moon missions had to be loaded and reloaded several times during the trip, as it only had an 8k memory to store navigation programs in. Famously, their computer crashed several times on the first moon landing, due to data overload from the radar telemetry. Those guys would have been happy to have a modern PDA on board, with thousands of times more power than their humble machine.
Since these phones have more power, we expect the devices to do much, much more, and the devices can suffer from feature-itis, where all kinds of bells and whistles are added, not because they are needed, but because we can do it, and cheaply. So far from getting a device that is “just a phone”, we get all kinds of extraneous features, many of which have security implications, and in fact vulnerabilities. Ask the average cellphone user, and you will probably find that they only know about 5% of the functions available to them, and they probably didn’t even read the (usually thin) handbook that came with it. This is also true for VoIP phones, which normally come packed with other non-VoIP services like TFTP, FTP, LAN capture, embedded web server, network time service, and so on. A lot of these features can be exploited when passwords are left at factory default, which they commonly are.
If we are going to make all the phones into fully-functional computers, then from a security point of view we need to make sure that each device is properly audited, and hardened, and patch-managed. Many enterprises are not yet ready for what the computer has become.