Home Cisco VoIP Phone Flaw Could Plant Bugs In Your Cubicle

Cisco VoIP Phone Flaw Could Plant Bugs In Your Cubicle

A new study has discovered a very exploitable flaw in Cisco’s popular Voice-over-Internet Protocol (VoIP) phones, which could put millions of users in the enterprise and government at risk of remote eavesdropping.

Cisco VoIP phones sit on some 50 million businesses and government office desks across the country and around the world. Take a peek in the Oval Office or on Air Force One, you’ll find them there, too. 

VoIP phones use the Internet – instead of a standard phone network – to transmit voice calls, text messages and faxes instead of a standard phone network. Internet phone service is much cheaper than traditional phone service, while the phones are as easy to use as any office phone system. But according to Ang Cui, a doctoral candidate at Columbia University, and Dr. Sal Stolfo, they’re also a big potential security threat. And it’s not just Cisco phones – all VoIP phones are potentially susceptible to this flaw.

Hardware Flaw Déjà Vu

If the names Cui and Stolfo sound familiar, it’s probably because they aren’t new to the flaw-finding game. They made a similar discovery last year with HP printers that could be controlled remotely to collect information and attack other networks, due to a flaw very similar to the one they found in the phones. 

This time around, the duo was looking at a bug that shows up in 14 models of Cisco VoIP phones. The vulnerabilities lie in the phone’s firmware, specifically in the kernel system calls. Kernels are the core of the operating system and help manage a computer’s resources (CPU, memory, apps). Receiving a system call means an application running on the device wants to access hardware on the device, but needs approval from the kernel first. The bug allows hackers to easily bypass the kernel to access a VoIP device’s hardware.  

These phones aren’t just phones, Cui explained to NBC News, they are “general-purpose computers jammed into a plastic case to make you think it’s a phone.” Inside that plastic case is a system on a chip (SoC), RAM, flash memory and a network card. Add a microphone and an off-hook switch that activates the microphone when the handset is picked up, and you’ve got yourself a VoIP phone.

Let Your Fingers Do The Hacking

Cui and another researcher on the project, Michael Costello, demonstrated the hack at the the Chaos Communications Conference in December. The hack requires a plug-in device to insert malicious code (lovingly referred to as “ThingP3WN3r” at the conference demo), but it needs only one phone or device to access the whole network. The fact that this is a physical attack mitigates the danger of this vulnerability. But the amount of time needed to perform this physical attack is just seconds, so even an un-monitored lobby phone could serve as a potential vector for attack. A quick chat with the receptionist outside an office, or a visitors booth with a VoIP phone will do nicely. Once loaded onto the phone, the malware rewrites the onboard software so that the phone is virtually taken off the hook.

Usually, when you pick up the phone to make a call, an LED indicator light comes on or an icon pops up on the screen. The rewritten code disables those indicators and turns on the handset’s microphone so that any conversation nearby can be heard and transcribed back to a central server. Which, at this point, is being controlled by the hacker. 

Not Exploited Yet?

In an email to ReadWrite, Cui wrote that he couldn’t say whether the vulnerability has been exploited yet, “I will say that if a competent hacker looked at the code running in these phones, the vulnerability is not difficult to find and is straightforward to exploit.” Cui also claimed that currently no one can tell if a vulnerable phone has been compromised, because there’s no way to look into the phone to see if the software has been tampered with. 

The researchers told Cisco about the vulnerability last Fall in a report. It was acknowledged and within two weeks Cisco had provided a patch to fix the bug. Two weeks later, Cui and Stolfo downloaded the patch and sent a second report to Cisco that it didn’t work. There is currently a security alert listed on the company’s website with a more detailed account of the flaw. Cisco says it is working on rewriting the firmware and hopes to have a permanent fix ready by January 21. (Cisco did not respond to a request for comment.)

Cui and Stolfo have developed their own fix, called Software Symbiotes, which they plan to demo at the RSA Conference in San Francisco in February. The defensive technology will live alongside executable code or arbitrary software to ensure that it works properly. Symbiotes, according to Cui, will be able to tell whether a system has been compromised, and either stop the malware or turn off the host device altogether. 

Until then, users of Cisco and other VoIP devices should be sure their devices are properly patched, or else watch what they say around the office.

Image courtesy of Shutterstock.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.