Cui, a fifth year grad student from the Columbia University Intrusion Detection Systems Lab and co-founder of Red Balloon Security, has demonstrated an attack on common Cisco-branded Voice over IP (VoIP) phones that could easily eavesdrop on private conversations remotely.
The vulnerability Cui demonstrated was based on work he did over the last year on what he called ‘Project Gunman v2’, where a laser printer firmware update could be compromised to include additional, and potentially malicious, code.
The latest vulnerability is based on a lack of input validation at the syscall interface. Cui said, “allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP , buttons, and LEDs on the phone.”
While he did not specify the precise vulnerability, Cui said it allowed him to patch the phone's software with arbitrary pieces of code, and that this allowed him to turn the Off-Hook Switch into what he called a funtenna.
According to Cui, once one phone is compromised, the entire network of phones is vulnerable. Cui later said he could also perform a similar exploit remotely, without the need to insert a circuit board at all.
He also said that routers, printers and phones are general-purpose computers without host-based intrusion systems or antivirus protection built in, so they make attractive targets. Further, they often lack encryption for data in motion or at rest.
Cui said affected models include Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, 7962G, 7961G, 7961G-GE, 7945G, 7942G, 7941G, 7941G-GE, 7931G, 7911G, and 7906. Models 7971G-GE, 7970G, 7961G, 7961G-GE, 7941G, 7941G-GE, and 7906 are also vulnerable.
In response to his findings, Cisco says that workarounds and a software patch are available to address the issue, and that successful exploitation requires physical access to the device serial port or a combination of remote authentication privileges and non default settings.