The current market for Voice over Internet Protocol systems and devices has expanded considerably over the last few years; business owners interested in upgrading their legacy PBX systems have many choices, including some that allow them to install them as do-it-yourself projects. The problem with such DIY installations, which can be accomplished with open source PBX software or by means of VoIP routers that are shipped along with set-up instructions, is related to network configuration and overall security.
VoIP phone exploits are more common than most people realize, and the reason is that we tend to associate them with legacy landline handsets instead of the personal computing devices they really are. Modern VoIP phones are very similar to smartphones in the sense that they are mini-computers that connect to local area networks; in fact, many of them run on the mobile Android operating system. Information security specialists consider these devices as endpoints that could present vulnerabilities for hackers to exploit.
If you install a VoIP phone without changing the default password, it does not matter whether your entire network and endpoints are protected by a firewall. Hackers are certainly familiar with all the default passwords of VoIP devices, including routers, switches, and phones; this is the kind of information that is routinely shared on underground forums, and this can facilitate various attacks. One of the most common exploits involves a phishing strategy whereby staff members are encouraged to click on a link contained in an email message. The messages are not sent blindly; the attackers first scan networks looking for VoIP phones that still have the default configuration and password, and when phishing victims visit the malicious website, hackers will stealthily dial the phone to spy on voice calls and attempt to breach the network with firmware and rootkits.