Securing Network Based IP Phones

IP Phone webGUI Login Credentials - CHANGE IT FIRST

In most cases, IP telephones usually come with a 6 to 8 character or digit default password printed on a label on the bottom of the device. Or, the default username and password is set to:  admin / admin or admin / password. This is not secure enough for a SIP based device environment.

Change and use 16 or more mixed characters for your new SIP client device webGUI password.

Ensure you use STRONG PASSWORDS with mixed alpha-numeric and special characters (such as: #$%^&!+=-) if the manufacturers' firmware allows it - in most cases in today's industry - they do. Take advantage of this feature and store your admin username and password in a secure place for all devices.

Manufacturers have finally started to catch on to ensuring users are forced to change login credentials when they first access the webGUI of the device. They are now forcing users to change the passwords, at minimum, to ensure this security feature is used correctly.

But, if using a PBX system - please see below as there are time saving features when using Brand related devices...

When using your IP Phone as a Stand Alone Device

Ensure your IP Phones are ALL plugged into your network behind a firewall. In many cases over the years we have seen users plug directly into an ISP's secondary network port - which can sometimes be open directly to the internet. This means the device gets it's IP from your ISP, and is accessible from the internet directly through that IP.

If you haven't changed the webGUI admin name / password access for that phone and left it a factory settings - it is prone to telephone fraud.

Over the years, we have seen Stand Alone Devices (SAD-IPD's) as having been the most prone to phone hacking because they are quite often forgotten about by most network administrators. Review all the devices on your network - not just IP phones to determine if they are SAD (LOL). Review login credentials and change them at least once a year minimum, just in case.

When using your IP Phone with a PBX Phone System

If available in your PBX Phone System - ensure you globally set an admin password for all your client devices in the WebAccess Global provisioning features.

Some PBX's auto-provision the client devices and can be set-up to set the admin and password login for the IP Phone through the global provisioning features. This will save time in manually changing the webGUI login credentials at each IP Phone device.

This policy will also help stop the extension users from unauthorized access webGUI or in making changes to the device configuration 'at the desk' through it's feature set buttons. You can sometimes also limit what functions on the phone can be changed by the end/extension user with some brands of IP Phones.

A Final Note on Securing IP / SIP Phones

Ensure you update your phone firmware regularly. If using as a stand alone, download and manually install firmware updates - or set-up firmware update policies on the phone itself. Some phones now come with a URL/firmware update feature to either notify you or self install firmware updates when available.

When using phones with a PBX, you can also set-up global firmware update policies for manual or self-install across all devices on your network. That feature is usually built into the global provisioning features of any well designed PBX phone system in today's market.