IE 11 is not supported. For an optimal experience visit our site on another browser.

VoIP Phone Flaw Invites Eavesdroppers

A tiny bug that takes only seconds to install could turn Cisco's Voice Over IP (VoIP) phones into remote listening devices, even when they appear to be hung up.
/ Source: TechNewsDaily

A tiny bug that takes only seconds to install could turn Cisco's Voice Over IP (VoIP) phones into remote listening devices, even when they appear to be hung up.

"The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel," Columbia University graduate student Ang Cui told the Dark Reading security blog.

It allows the attacker to "become root" and listen to the phone's mic from a remote location via cellphone, he explained.

Although a hacker wouldn't be listening in on the call, he could potentially glean private and sensitive information from a conversation conducted near the compromised device.

Cui said the attack works by inserting a small circuit board into the phone's Ethernet port. From there he reconfigured the phone's firmware to make the switch in the phone's cradle function as a "funtenna."

For its part, Cisco has pointed to firmware updates available on its website and underscored that attackers need physical access to a phone in order to exploit the flaw.

"I encourage everyone to patch to the latest [not publicly] available firmware ASAP," Cui agreed. "At the end of the day, I'd like to see actual mechanical switches that control the various input/output devices on IP phones."

Follow Ben on Twitter.