Cisco IP Phones Vulnerable to Eavesdropping Attacks

Ang Cui and Salvatore Stolfo from Columbia University said they have found the issue in all 14 of Cisco's Unified VoIP phones, but the devices of other manufacturers are potentially affected as well. The researchers demonstrated how easy it is to insert malicious code into the phone's software and "start eavesdropping on private conversations - not just on the phone but also in the phone's surroundings - from anywhere in the world."

Cui and Stolfo did not provide any details of the attack other than the fact that they used binary firmware analysis to identify flawed code. "It's relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones," Stolfo said. "They are not secure."

According to the researchers, Cisco has released a patch, which apparently is not good enough: "It doesn't solve the fundamental problems we've pointed out to Cisco," Cui said. There was no known solution other than rewriting the firmware of the phones or using Software Symbiotes, a protection Cui and Stolfo developed. According to the researchers, Symbiotes are "a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement."

"They extract computational resources from the host while simultaneously protecting the host from attack and exploitation," Cui said. "And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses." Cui and Stolfo said they intend to demonstrate a protected Cisco IP phone at an upcoming conference.

Contact Us for News Tips, Corrections and Feedback

  • iniudan
    For those that actually want the detail, here the video of the conference, which is much less alarmist, then this news feed, Also the vulnerability only affect certain model (forgot where it is, so no link)
    Kind of lame, because if you can look at packets and decipher where the phone actually is to attack it, you can very likely just listen in to the RTP packets anyways.

    Regardless, fail to use TLS with SIP and people will find where you phone is if they can read the packets. Fail to use SRTP and anyone who can read the packets can record and/or listen.