Ang Cui and Salvatore Stolfo from Columbia University said they have found the issue in all 14 of Cisco's Unified VoIP phones, but the devices of other manufacturers are potentially affected as well. The researchers demonstrated how easy it is to insert malicious code into the phone's software and "start eavesdropping on private conversations - not just on the phone but also in the phone's surroundings - from anywhere in the world."
Cui and Stolfo did not provide any details of the attack other than the fact that they used binary firmware analysis to identify flawed code. "It's relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones," Stolfo said. "They are not secure."
According to the researchers, Cisco has released a patch, which apparently is not good enough: "It doesn't solve the fundamental problems we've pointed out to Cisco," Cui said. There was no known solution other than rewriting the firmware of the phones or using Software Symbiotes, a protection Cui and Stolfo developed. According to the researchers, Symbiotes are "a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement."
"They extract computational resources from the host while simultaneously protecting the host from attack and exploitation," Cui said. "And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses." Cui and Stolfo said they intend to demonstrate a protected Cisco IP phone at an upcoming conference.
