Security researchers find vulnerability in Cisco VoIP phones

December 19, 2012 by Bob Yirka report
Computer scientists find vulnerabilities in Cisco VoIP phones
Columbia Engineering's computer science Ph.D. candidate Ang Cui designed this device to plug into a Cisco phone and download malware, showing the vulnerabilities of the phone. Credit: Columbia Engineering

(Phys.org)—Ang Cui a fifth year PhD student at Columbia University, has given a demonstration at this year's Amphion Forum in San Francisco, showing a security vulnerability he and colleagues have discovered in Cisco VoIP phones. The vulnerability, he said, allows an intruder to place an electronic device into an on-premise VoIP phone that can be controlled by a nearby smartphone – allowing the "Off Hook Switch" to be manipulated in such as way as to effectively turn the phone into a two-way walkie-talkie. He noted also that once a single phone had been breached all others on the same network could be breached as well though the single device.

Cui's demonstration was part of an overall theme – that embedded devices are vulnerable to attack by people bent on or who wish to cause harm. He noted that devices such as network printers are quite often installed without adequate protection, leaving them open to attack by those outside of the system who wish to get in. VoIP phones, he says, use roughly the same type of technology and thus are equally vulnerable.

VoIP phones are normal looking phones that make and receive telephone calls using the Internet instead of the traditional phone network. Many have installed them because of their increased utility. Governments use them as well, Cui demonstrated, by presenting pictures of them sitting in several different governmental offices, including that of the Director of the CIA. In his demonstration, he affixed a simple circuit board (he calls it the Thingp3wn3r) to a VoIP phone that he said could just as easily have been in someone's real office – in just minutes. Next, he demonstrated the effectiveness of the Thingp3wn3r by accessing it via a app. Words he spoke in the vicinity of the phone, despite the receiver being down – the traditional mode of putting a phone offline – were picked up by the circuit board and transmitted to the smarthone app and played for all to hear. The end result is an ability to place a bug in an office using a simple circuit board and available hardware.

Cui and his professor, Salvatore Stolfo notified Cisco of the vulnerability prior to the demonstration and Cisco has responded by creating a patch that prevents the vulnerability from occurring. Those who are concerned about the vulnerability of their own systems are urged to contact Cisco for support.

Explore further: Study Shows Thousands of Consumer Internet Connectivity Devices Are Vulnerable to Attack

More information: ids.cs.columbia.edu/sites/default/files/paper-acsac.pdf

Press release

Related Stories

ZTE scrambles to get at root of phone flaw

May 18, 2012

(Phys.org) -- Rattling phone security news surfaced this week for those owning ZTE Score M phones after an anonymous post to Pastebin.com reported a backdoor hole where others can gain control over a user’s device. The ...

Researcher says flaw in Android creates phone risk (Update)

September 28, 2012

Cellphones using Google's Android operating system are at risk of being disabled or wiped clean of their data, including contacts, music and photos, because of a security flaw that was discovered several months ago but went ...

Recommended for you

'Droneboarding' takes off in Latvia

January 22, 2017

Skirted on all sides by snow-clad pine forests, Latvia's remote Lake Ninieris would be the perfect picture of winter tranquility—were it not for the huge drone buzzing like a swarm of angry bees as it zooms above the solid ...

Singapore 2G switchoff highlights digital divide

January 22, 2017

When Singapore pulls the plug on its 2G mobile phone network this year, thousands of people could be stuck without a signal—digital have-nots left behind by the relentless march of technology.

Making AI systems that see the world as humans do

January 19, 2017

A Northwestern University team developed a new computational model that performs at human levels on a standard intelligence test. This work is an important step toward making artificial intelligence systems that see and understand ...

Firms push hydrogen as top green energy source

January 18, 2017

Over a dozen leading European and Asian firms have teamed up to promote the use of hydrogen as a clean fuel and cut the production of harmful gasses that lead to global warming.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.