Remotely listen in via hacked VoIP phones: Cisco working on eavesdropping patch

Let’s say the doors and windows are all closed, all cell phones in the room are on Airplane mode as you and your business partners discuss some super-secret save-the-world formula. But “just because you are paranoid doesn't mean your phone isn't listening to everything you say,” warned DARPA (Defense Advanced Research Projects Agency) funded researchers at the 29th Chaos Communication Congress (29C3). During Hacking Cisco Phones, the researchers demonstrated how they could remotely turn on a phone’s microphone and eavesdrop from anywhere in the world. If the VoIP Cisco phone has a web cam, they could also turn that on without anyone the wiser.

This Cisco phone vulnerability would allow more than eavesdropping for espionage purposes. Columbia University Computer Science Professor Salvatore Stolfo, said, “Any government that would like to peer into the private lives of citizens could use this. This is a great opportunity to create a low-cost surveillance system that is already deployed. It's a monitoring infrastructure that's free, when you turn these into listening posts."

Columbia University Computer Science PhD candidate Ang Cui demonstrated how they easily inserted “malicious code into a Cisco VoIP phone (any of the 14 Cisco Unified IP Phone models) and start eavesdropping on private conversations—not just on the phone but also in the phone’s surroundings—from anywhere in the world.” A hacked phone could “then infect other phones on the same network and attack connected computers and devices such as printers.” According to Cui, “We could turn a phone into a walkie-talkie that was always on by rewriting its software with 900 bytes of code. Within 10 minutes, it could then go on to compromise every other phone on its network so that you could hear everything,”

Cisco had released a patch to close the vulnerability, but the researchers said it was ineffective in stopping attackers from eavesdropping on conversations. Cui added, “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.” Now Cisco said its “A-Team is working on mitigations and a permanent patch. The company plans to issue a security advisory and a detailed mitigation document later this week.” The company had also told NBC News that “all Cisco IP phones feature a hard-wired light that will alert the user whenever the microphone is active," but the researchers showed that the speaker LED light indicating the microphone is on can be made to stay dark.

Cisco phones run a Unix-like operating system kernel. Columbia University showed this small wired device called a "thingp3wn3r" to plug into a RJ11 serial port of a Cisco phone and download malware. The extremely long Hacking Cisco Phones, 314 slides and nearly 2GB presentation [PDF] goes in depth into the hack. The 29C3 video showed the researchers using a mobile phone to connect to the thingp3wn3r over a Bluetooth connection to remotely deliver the exploit.

Columbia University Staff Research Scientist Michael Costello pointed out that Cisco phones are used in the White House, in Air Force One, in former CIA director David Petraeus’s office as well as in businesses large and small worldwide. “Having a vulnerability in a phone like this gives you ears in many skyscrapers in cities around the world,” Cui stated.

Dr. Howard Shrobe, DARPA Program Manager, added, "Computers often are at the core of many devices that most people do not think of as computers  (e.g.  phones, printers, power meters, cars and airplanes, for example) but which inherited the vulnerabilities of their embedded computer components.  These devices have enormous impact in our everyday lives and in our critical infrastructures and are therefore a core concern.”

“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” warned Stolfo. “It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones—they are not secure.”

According to the researchers, the solution to this problem is a “new defense technology, called Software Symbiotes, that protects them from exploitation. Cui added, “The beauty of the Symbiote is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars—systems that we all use every day.”

The researchers see these Symbiotes as a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement. “They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation,” explains Cui. “And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”

Hacking Cisco Phones [PDF] Slide 210 states, “Cisco Unified IP Phone 7900 series, also referred to as Cisco TNP Phones contain an input validation vulnerability. A local authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.”

The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.

The following Cisco Unified IP Phone devices are affected:

• Cisco Unified IP Phone 7975G
• Cisco Unified IP Phone 7971G-GE
• Cisco Unified IP Phone 7970G
• Cisco Unified IP Phone 7965G
• Cisco Unified IP Phone 7962G
• Cisco Unified IP Phone 7961G
• Cisco Unified IP Phone 7961G-GE
• Cisco Unified IP Phone 7945G
• Cisco Unified IP Phone 7942G
• Cisco Unified IP Phone 7941G
• Cisco Unified IP Phone 7941G-GE
• Cisco Unified IP Phone 7931G
• Cisco Unified IP Phone 7911G
• Cisco Unified IP Phone 7906

The following models have reached end-of-life (EOL) status (for hardware only):

• Cisco Unified IP Phone 7971G-GE
• Cisco Unified IP Phone 7970G
• Cisco Unified IP Phone 7961G
• Cisco Unified IP Phone 7961G-GE
• Cisco Unified IP Phone 7941G
• Cisco Unified IP Phone 7941G-GE
• Cisco Unified IP Phone 7906

Until a patch that closes the hole in the Cisco assigned "CSCuc83860 bug," thingp3wn3r workarounds include "Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network."