Cisco VoIP phones on-hook security vulnerability

Forbes magazine is reporting on the latest telecom fraud threat in the VoIP community.

Researcher Ang Cui has recently demonstrated an attack on common Cisco-branded Voice over IP (VoIP) phones that could easily eavesdrop on private conversations remotely. Cui, a fifth-year grad student from the Columbia University Intrusion Detection Systems Lab, has pioneered within an academic career attacking common embedded systems, such as routers, printers and now phones. He repeatedly called these devices “general-purpose computers”, forcing his audience to shift paradigms and understand that the devices that now surround us are, for the most part, insecure by design.

To present the demo, which had never been tried in a public forum before, Cui employed an external circuit board that he said James Bond would have no trouble inserting onto a telephone inside the target organization. Cui suggested he could be a job applicant to get inside or he could simply compromise the lobby phone. Once one phone is compromised, the entire network of phones could be vulnerable.

He said later he could also perform the exploit remotely, no physical-world circuit boards necessary. With the circuit board in place, Cui then used a self-created app on his mobile phone to connect to it and export the mic data from the compromised phone sitting on a table next to the speaker’s dais where the off hook mic now captured Cui’s every word. After passing the mic data over the internet to Google’s speech-to-text service, he then projected on a screen behind him a transcript of his spoken words, each appearing after a slight delay. He said that he could also bypass Google and simply capture the audio file as an “automatic blackmail device.”

Cisco’s statement: “The company maintains a very open relationship with the security community and we view this as vital to helping protect our customers’ networks. We can confirm that workarounds and a software patch are available to address this vulnerability, and note that successful exploitation requires physical access to the device serial port, or the combination of remote authentication privileges and non-default device settings. Cisco thanks Ang Cui and Salvatore Stolfo for allowing our team to validate the vulnerability and prepare a software patch ahead of the presentation.”

“A formal release note for customers was issued on November 2nd (bug id: CSCuc83860) and we encourage any customers with related questions to contact the Cisco TAC.”