It’s refreshing to see a vendor in the IP phone space respond to reported security problems with their products. During the GNUcitizen Router Hacking Challenge several issues were reported with the Snom 320. The vulnerabilities posted were also picked up by Tom Keating’s blog. Gnucitizen posted a webpage detailing the vulnerabilities as well, and the vendor response has been very good, with the following actions taken by Snom (note: typos left in):
- We will publish an article on “how to make your snom phone saver” on our website (including a link to it on the start page)
- We will send out a newsletter to all our registred VARS and distributers with this information
- We will work on the FW to improve security (just checked, on FW Ver. 7 the Flash applet is disabled by default)
- We will publish a new email adress, for security matters (mostlikly email@example.com), which goes to a bunch of people.
So, this is a good start, but I do have a few humble suggestions for Snom:
- Have a dedicated security page, e.g. www.snom.com/security/ that has their product security policy spelled out.
- Setup PGP for the firstname.lastname@example.org email alias and post the public key so that communications can be encrypted.
- Formalize the product vulnerability advisory process, including sending out the advisory to various mailing lists, etc. Following Cisco PSIRT and Asterisk advisory format is a fine start.
- Tidy up the English translations for better flow and understanding.
Overall, this is encouraging to see a VoIP phone vendor stepping up and taking ownership of product vulnerabilities – Kudos to Snom!