Cisco Warns Serious VoIP Vulnerability Enables Eavesdropping1:19 PM EST Fri. Jan. 11, 2013
Cisco Systems is warning Cisco Unified IP Phone users that the system contains a vulnerability that opens them up to potential eavesdropping.
The networking giant issued a security advisory this week, warning that the VoIP phones contain a remote code execution zero-day vulnerability that can give an attacker access to the device's memory. The problem stems on Cisco 7900 Series devices, and the company said its engineers are working on a fix and hope to release a software update later this month.
The IP phone is a popular model used in offices globally, according to Cisco. The company said it is not aware of any attacks targeting the flaw, but the hacking technique was presented in December by security researchers Ang Cui and Michael Ossmann at the 29th Chaos Communications Conference in Hamburg, Germany. The two researchers said they believe that the weaknesses is not limited to Cisco devices.
Security researchers have warned about weaknesses in IP-enabled devices. Researchers at Columbia University's Intrusion Detection Systems Lab identified tens of thousands of vulnerable IP-enabled embedded devices. Despite having a small footprint, IP devices use various communication protocols that could be targeted by an attacker.
In 2009, researchers at the Black Hat conference explained how to hack into Cisco routers. The flaws they used were patched, but the researchers said the routers and other embedded devices like them are based largely on Unix and can be exploited if the attacker finds a way to navigate through the code.
In a video presentation about the Cisco IP phone hack, Cui, an embedded systems expert, said the goal of his research is to show examples of vulnerabilities in systems that can be found just about everywhere and have real world consequences. Cui said printers, phones and other devices connected to the Internet provide a platform for an attacker to leapfrog to more servers containing more sensitive data.
"Once I have access to all of these embedded systems, I can now use these guys to attack the general purpose server on your network," Cui said. "I can also use these devices to exfiltrate information from the network."
The attack can be carried out by gaining local access via the AUX port located on the rear of the device or remotely by authenticating to the device via SSH and executing malicious code. Cisco said the remote, SSH method is disabled by default on the device once it has been provisioned by a Cisco Unified Call Manager.
NEXT: Vulnerability Extends All The Way To The White House
During the presentation, systems expert Cui showed the Cisco phone at the White House and on Air Force One. The device is not really a phone, he said, but a general purpose computer put into a plastic case to make it look like a phone. The device runs Cisco's proprietary UNIX OS and Java. It uses the SSH protocol, but "the way it's implemented makes it worse than Telnet," Cui said.
Despite being signed firmware, Cui said he found the code signing only takes place at boot time. Once the phone boots up, an attacker can log in, download any code they want and execute it from the temp directory, he said.
PUBLISHED JAN. 11, 2013