A new study has discovered a very exploitable flaw in Cisco’s popular Voice-over-Internet Protocol (VoIP) phones, which could put millions of users in the enterprise and government at risk of remote eavesdropping.

Cisco VoIP phones sit on some 50 million businesses and government office desks across the country and around the world. Take a peek in the Oval Office or on Air Force One, you’ll find them there, too. 

VoIP phones use the Internet – instead of a standard phone network – to transmit voice calls, text messages and faxes instead of a standard phone network. Internet phone service is much cheaper than traditional phone service, while the phones are as easy to use as any office phone system. But according to Ang Cui, a doctoral candidate at Columbia University, and Dr. Sal Stolfo, they’re also a big potential security threat. And it’s not just Cisco phones – all VoIP phones are potentially susceptible to this flaw.

Hardware Flaw Déjà Vu

If the names Cui and Stolfo sound familiar, it’s probably because they aren’t new to the flaw-finding game. They made a similar discovery last year with HP printers that could be controlled remotely to collect information and attack other networks, due to a flaw very similar to the one they found in the phones. 

This time around, the duo was looking at a bug that shows up in 14 models of Cisco VoIP phones. The vulnerabilities lie in the phone’s firmware, specifically in the kernel system calls. Kernels are the core of the operating system and help manage a computer’s resources (CPU, memory, apps). Receiving a system call means an application running on the device wants to access hardware on the device, but needs approval from the kernel first. The bug allows hackers to easily bypass the kernel to access a VoIP device’s hardware.  

These phones aren’t just phones, Cui explained to NBC News, they are “general-purpose computers jammed into a plastic case to make you think it’s a phone.” Inside that plastic case is a system on a chip (SoC), RAM, flash memory and a network card. Add a microphone and an off-hook switch that activates the microphone when the handset is picked up, and you’ve got yourself a VoIP phone.

Let Your Fingers Do The Hacking

Cui and another researcher on the project, Michael Costello, demonstrated the hack at the the Chaos Communications Conference in December. The hack requires a plug-in device to insert malicious code (lovingly referred to as “ThingP3WN3r” at the conference demo), but it needs only one phone or device to access the whole network. The fact that this is a physical attack mitigates the danger of this vulnerability. But the amount of time needed to perform this physical attack is just seconds, so even an un-monitored lobby phone could serve as a potential vector for attack. A quick chat with the receptionist outside an office, or a visitors booth with a VoIP phone will do nicely. Once loaded onto the phone, the malware rewrites the onboard software so that the phone is virtually taken off the hook.

Usually, when you pick up the phone to make a call, an LED indicator light comes on or an icon pops up on the screen. The rewritten code disables those indicators and turns on the handset’s microphone so that any conversation nearby can be heard and transcribed back to a central server. Which, at this point, is being controlled by the hacker. 

Not Exploited Yet?

In an email to ReadWrite, Cui wrote that he couldn’t say whether the vulnerability has been exploited yet, “I will say that if a competent hacker looked at the code running in these phones, the vulnerability is not difficult to find and is straightforward to exploit.” Cui also claimed that currently no one can tell if a vulnerable phone has been compromised, because there’s no way to look into the phone to see if the software has been tampered with. 

The researchers told Cisco about the vulnerability last Fall in a report. It was acknowledged and within two weeks Cisco had provided a patch to fix the bug. Two weeks later, Cui and Stolfo downloaded the patch and sent a second report to Cisco that it didn’t work. There is currently a security alert listed on the company’s website with a more detailed account of the flaw. Cisco says it is working on rewriting the firmware and hopes to have a permanent fix ready by January 21. (Cisco did not respond to a request for comment.)

Cui and Stolfo have developed their own fix, called Software Symbiotes, which they plan to demo at the RSA Conference in San Francisco in February. The defensive technology will live alongside executable code or arbitrary software to ensure that it works properly. Symbiotes, according to Cui, will be able to tell whether a system has been compromised, and either stop the malware or turn off the host device altogether. 

Until then, users of Cisco and other VoIP devices should be sure their devices are properly patched, or else watch what they say around the office.

Image courtesy of Shutterstock.