Forgot your password?
typodupeerror
Security Communications IT

Researchers Convert Phones Into Secret Listening Devices 59

Posted by timothy
from the what's-that-you-say? dept.
CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"
This discussion has been archived. No new comments can be posted.

Researchers Convert Phones Into Secret Listening Devices

Comments Filter:
  • Re:Preach it (Score:3, Informative)

    by maxwell demon (590494) on Monday December 17, 2012 @04:41AM (#42312143) Journal

    The rotary phones I knew mechanically disconnected the line when the cradle was pressed. Of course if you had removed the receiver from the cradle and still thought you were not connected anywhere just because you had not dialled a number, you were stupid. You just would have had to listen to it to know that it was connected to somewhere. Note that unpressing the cradle was not possible remotely. Of course someone might have physically modified the phone, but that's on the same level as installing a bug.

    Also note that the ISDN phones I was speaking of weren't cell phones either. I don't think there's a wireless version of ISDN. They had not been rotary phones, though.

  • Re:Preach it (Score:5, Informative)

    by symbolset (646467) * on Monday December 17, 2012 @05:57AM (#42312411) Journal

    I get +2 automatically because I have high Karma and I'm a subscriber. You get +1 for each of those. You could get the subscriber bonus for about $1/month. The high karma thing you have to work at. Karma is easier to get and lose though when all of your posts are +1 because you're a subscriber.

    I could discount these in my settings, and I used to. Most subscribers with high Karma do, as they consider posting at 3 "shouting". If my Karma falls back to normal, I probably will do that. Once upon a time I had such bad Karma I was posting at -1. But I recovered.

    I would still post just at 1, but the retarded sockpuppets and idiots do need shouting down with confidence. The price I pay for this is that I almost never get mod points.

  • Re:Physical access? (Score:5, Informative)

    by TheRaven64 (641858) on Monday December 17, 2012 @06:32AM (#42312515) Journal

    I saw the exploit demonstrated about a month ago (when it was still not yet public, but after Cisco had been told about it). It doesn't require physical access, but it does require you to be able to run something on the local network. (From slightly fuzzy memory:) The phones have some hard-coded settings which tell them about the correct server to use for getting the configuration data. They fetch this on every boot. Tripping a power circuit can cause the phones to reboot (I think they do every few days anyway, to get updates), and once you've done that then you've can use that phone to exploit the others. Getting root is simple, because the OS has a number of system calls that don't properly validate their arguments. Once you've done that, it's entirely a software bug, and it's in a system that is not designed for sysadmins to run code on, so your IDS probably won't catch it.

    That said, in a sensible deployment, you should have the SIP phones on a separate VLAN and only allow them to send TFTP packets to the authorised boot server. In this configuration, the first step of the exploit won't work unless you previously pwn the boot server, the switch (and, let's face it, they probably run IOS, so it's not that hard...), or have physical access.

    By the way, this is the same guy who previously discovered an exploit for a load of HP printers, allowing you to do things like have them email copies of any documents that are printed on them to some external site. He had quite a cute demo, which involved using a previously-pwned printer to hijack the phone network, so it's important to remember to have the phones and the printers on separate networks. And not to allow printers to connect to the outside world...

  • Re:Preach it (Score:4, Informative)

    by thomst (1640045) on Monday December 17, 2012 @08:49AM (#42313037) Homepage

    Headline and summary are both misleading.

    The exploit demonstrated is specific to Cisco VOIP phones. No other manufacturer's devices are affected.

Are we running light with overbyte?

Working...