updated 12/20/2012 10:45:52 AM ET 2012-12-20T15:45:52

A tiny bug that takes only seconds to install could turn Cisco's Voice Over IP (VoIP) phones into remote listening devices, even when they appear to be hung up.

"The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel," Columbia University graduate student Ang Cui told the Dark Reading security blog.

It allows the attacker to "become root" and listen to the phone's mic from a remote location via cellphone, he explained.

Although a hacker wouldn't be listening in on the call, he could potentially glean private and sensitive information from a conversation conducted near the compromised device.

Cui said the attack works by inserting a small circuit board into the phone's Ethernet port. From there he reconfigured the phone's firmware to make the switch in the phone's cradle function as a "funtenna."

For its part, Cisco has pointed to firmware updates available on its website and underscored that attackers need physical access to a phone in order to exploit the flaw.

"I encourage everyone to patch to the latest [not publicly] available firmware ASAP," Cui agreed. "At the end of the day, I'd like to see actual mechanical switches that control the various input/output devices on IP phones."

Follow Ben on Twitter@benkwx.

© 2012 TechNewsDaily


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments