Use this phone at work? You could be at risk of eavesdropping thanks to unpatched flaw

Cisco IP phoneCisco has warned that hackers could eavesdrop upon your private communications, thanks to an unpatched firmware flaw in some of its small business phones.

According to an advisory issued by the company, the vulnerability resides in the firmware used by the Cisco Small Business SPA 300 and 500 series IP phones, and could allow an unauthenticated, remote attacker to not just listen to the audio stream of IP conversations.

Vulnerability researcher Chris Watts, who uncovered the flaw, told ITNews that he found three vulnerabilities in the devices, the most serious of which (CVE-2015-0670) could allow remote hackers to make calls remotely, or even spy on conversations occurring near to the phone:

"An attacker could exploit this vulnerability and remotely turn on a phone’s microphone and eavesdrop from anywhere in the world," Watts said.

This included being able to hear not just the phone conversations, but sounds in the device's surroundings - all without victims noticing the interception is taking place.

"Imagine the phone in your office or boardroom streaming conversations to your competitors," Watts said.

Apparently, the attack relies upon specially-crafted XML requests being sent to the at-risk devices.

Version 7.5.5 of the phone firmware is said to be vulnerable, although other more recent versions could also be at risk.

Cisco says it is working on a patch, which hopefully will be made available soon, but in the meantime advises that administrators enable XML Execution authentication in the configuration settings of vulnerable phones.

Although some might imagine that the chances of an IP phone being exploited by attackers is remote, it would be wise to ensure that your systems are locked down and internet-connected devices are not unnecessarily exposed.

After all, there are specialist search engines like Shodan which are designed to reveal exposed internet-enabled devices such as webcams, routers and IP phones.

Shodan

Remember. You need to be careful about everything you plug into the internet...

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

One Response

  1. Coyote

    March 23, 2015 at 11:01 pm #

    "Remember. You need to be careful about everything you plug into the internet…"

    Yes, this is true. However, I would extend this – you should be careful about everything connected to a network, full stop. It doesn't matter what kind of network, either. Even if it is an intranet or otherwise a segregated subnet (of an intranet, for example), there's still risks. This also goes for the telephone networks (although probably true that this goes especially for mobile phone networks). On that latter note (which is conveniently an anagram for tone, which allows for the pun), mobile networks are equally (if not more so) vulnerable. In the end, the only secure computer is the computer that doesn't exist (being offline and unplugged does not mean 100% secure, not under any circumstances), and because of this, you can only make it as safe as you're capable, but it is never 100%. But the more devices it is attached to, directly and indirectly, the higher the risk. I'll not even get in to the lunacy (that I wish would actually die a pleasant death instead of living on) of connecting kitchen appliances, thermostats, and who knows what else, to the Internet…other than stating that those are at risk too (and it is risky to dismiss it as impossible or unlikely because there's many examples, routers with malware for one example).

Leave a Reply