Forgot your password?
typodupeerror
Security Communications IT

Researchers Convert Phones Into Secret Listening Devices 59

Posted by timothy
from the what's-that-you-say? dept.
CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"
This discussion has been archived. No new comments can be posted.

Researchers Convert Phones Into Secret Listening Devices

Comments Filter:
  • Don't worry, Harold and John will stop listening when you get hot and heavy with your date.
  • by cloudmaster (10662) on Monday December 17, 2012 @01:51AM (#42311791) Homepage Journal

    As part of the demonstration, Cui inserted and removed a small external circuit board from the phone's Ethernet port

    Seems like it'd be easier to just slap a traditional bug under the filing cabinet if you're going to need physical access anyway. And maybe leave behind a hardware keylogger while you're at it. Possibly also an annoyatron [thinkgeek.com]. :)

    • Re:Physical access? (Score:4, Interesting)

      by hidden (135234) on Monday December 17, 2012 @02:10AM (#42311843)

      I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.

      • by net28573 (1516385)
        Concerning the likelihood as to whether or not it would matter to anyone personally or allow the culprit to be identified: Most hardware keyloggers leave no personally identifiable information aside from scannable memory partitions however, in order to access those partitions you need to know a key combo. Without the key combo...you might as well have nothing, you also have to be aware that it is a keylogger in the first place before anything else. Who honestly checks their usb/ps2 ports more than once a we
      • Re:Physical access? (Score:4, Interesting)

        by hawguy (1600213) on Monday December 17, 2012 @02:33AM (#42311907)

        I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.

        Besides, when you use the phone as your bug, you don't need to worry about a power source. Gaining entry to an office as a part of the janitorial company seems like a trivial exercise for someone determined to steal corporate secrets.

        Of course, the drawback is that this would be trivial to detect with a simple IDS system: "Hey, why does the conference room phone keep sending data to a Verizon Wireless IP address?". While a traditional bug would require an RF sweep to find it - and if it saves up conversations and sends them out in a short burst, it can be nearly impossible to find without constant surveillance.

        • by khasim (1285)

          While a traditional bug would require an RF sweep to find it - and if it saves up conversations and sends them out in a short burst, it can be nearly impossible to find without constant surveillance.

          No reason that could not be done in this situation as well.

          The hacked phone sends the communications to a hacked workstation on the same LAN segment. They're stored until later.

          Then they're sent out over the next day or so with the regular traffic disguised as an encrypted HTTPS stream.

    • Re:Physical access? (Score:5, Informative)

      by TheRaven64 (641858) on Monday December 17, 2012 @05:32AM (#42312515) Journal

      I saw the exploit demonstrated about a month ago (when it was still not yet public, but after Cisco had been told about it). It doesn't require physical access, but it does require you to be able to run something on the local network. (From slightly fuzzy memory:) The phones have some hard-coded settings which tell them about the correct server to use for getting the configuration data. They fetch this on every boot. Tripping a power circuit can cause the phones to reboot (I think they do every few days anyway, to get updates), and once you've done that then you've can use that phone to exploit the others. Getting root is simple, because the OS has a number of system calls that don't properly validate their arguments. Once you've done that, it's entirely a software bug, and it's in a system that is not designed for sysadmins to run code on, so your IDS probably won't catch it.

      That said, in a sensible deployment, you should have the SIP phones on a separate VLAN and only allow them to send TFTP packets to the authorised boot server. In this configuration, the first step of the exploit won't work unless you previously pwn the boot server, the switch (and, let's face it, they probably run IOS, so it's not that hard...), or have physical access.

      By the way, this is the same guy who previously discovered an exploit for a load of HP printers, allowing you to do things like have them email copies of any documents that are printed on them to some external site. He had quite a cute demo, which involved using a previously-pwned printer to hijack the phone network, so it's important to remember to have the phones and the printers on separate networks. And not to allow printers to connect to the outside world...

  • On my phone here, and when I click the link the dark whatever domain appears briefly and tennis appears their page refreshes with this (screwed up) "url"
    location: /133696/show/3fd8d00f6b22f3da5506ef43feaf8168/?

    • by rjr162 (69736)

      Then it became tennis by the magic of fat fingering an extra key and auto-correct!

  • Seriously, did they look at the Dark Knight and say "Hey, that massively illegal cell-phone-Sonar concept was a good idea, lets look into it"

Life would be so much easier if we could just look at the source code. -- Dave Olson

Working...