Turns out Cisco VOIP phones can be exploited either locally (by plugging in to the Ethernet port for a second?) or remotely (which may or may not be practical)… giving the attacker control over the phones’ buttons, LED, and yes, DSP.
So not only can the attacker reroute the “CEO” speed dial to “Janitorial” (and vice-versa) but a seconds’ worth of physical access lets the attacker use the thing as a room bug… transmitting anywhere over the Internet.
No, this isn’t particularly new. TSCM types have been warning about VOIP phones for ages, after all.
It’s still a good reminder that the safest solution is an analog land-line phone… sitting on a table OUTSIDE the room.
“A researcher has demonstrated how Cisco Voice-over-IP (VoIP) phones can be hijacked and turned into listening devices.
At the Amphion Forum this month, Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. The forum, held in San Francisco, is produced by Mocana, which makes security software for non-PC devices that connect to the Internet.
“The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,” Cui tells Dark Reading. “It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.”
As part of the demonstration, Cui inserted and removed a small external circuit board from the phone’s Ethernet port — a move he asserted could be accomplished by someone left alone inside a corporate office for a few seconds. He then used his own smartphone to capture every word spoken near the VoIP phone, even though it was still “on-hook.”
By patching the VoIP phone’s software with his own code, he was able to turn the Off-Hook Switch into what he refers to as a “funtenna.”
The issue can be exploited remotely as well, explains Cui, where a likely method of exploiting the kernel is by using an arbitrary execution bug on the phone’s surface.
“Typically, exploitation of a nonprivileged process will give the attacker limited access to the phone,” he says. “But in this case, any arbitrary code execution bug can be used to exploit the vulnerable syscalls, giving the attacker kernel-level access. I’ve identified several third-party libraries within the Cisco phone that have known exploitable vulnerabilities.”
“The exploitability of these vulnerable third-party libraries will be discussed at 29C3 [29th Chaos Communication Congress],” he says.
In response to his findings, Cisco says that workarounds and a software patch are available to address the issue, and that successful exploitation requires physical access to the device serial port or a combination of remote authentication privileges and nondefault settings. “