A desk phone is one of the most essential tools that aid internal communication needs of an enterprise’s needs given its inherent features.
Many offices and enterprises around the world uses Desk phones mostly, the Cisco-branded telephones.
But did you know that that Cisco Desk Phone could be your weak-link to hackers?
The networking company issued a security advisory with the catchy name “cisco-sa-20130109-uipphone” in a statement intended to warn users.
“Cisco Unified IP Phones 7900 Series versions 9.3(1) SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges”.
Cisco acknowledges that “Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860 (registered customers only)
“Just because you are paranoid doesn’t mean your phone isn’t listening to everything you say”, he said in one of the comments.
“A hacker can actually listen to everything that’s going on in the room that the phone is in regardless of whether you are on the phone call or not”
Ang reveals that they took apart Cisco Phone, and looked at it not like a telephone, but like a computer.
The Desk Phone has a handset, a screen, and a bunch of numbers that can be dialed. It also runs a whole lot of very vulnerable software.
“We extracted the firmware that runs on that computer, and we systematically mapped out things that look like vulnerabilities. And over the course of two and a half months, we figured out exactly where the vulnerabilities are in a portion of the system that we can reach as an attacker”.
“What can someone do if they were able to exploit the software and firmware running inside your phone? Well they can certainly listen to you when you’re making phone calls. They can probably figure out who you’re calling and when. But it goes way beyond that.”
“The microphone never turns off, so the hacker can listen to every single thing that the phone hears one hundred percent of the time, without stop”.
In fact, they could even stream them over a network.
However, he did not only identify the vulnerability but also provided a solution.
Physical access to the phone is required for this to be carried out.
He says; “Of course, if you work in a public area – think security desk inside a company door, or even a locked office that maintenance and cleaning has access to – then there is no shortage of people who can carry out the exploit”.
In fact, we have seen in the past how easily social engineering can gain access to the most restricted areas of a building.
The company also goes on to promise that it will “conduct a phased remediation approach and will be releasing an intermediate Engineering Special software release for affected devices to mitigate known attack vectors for the vulnerability”.