Researchers Convert Phones Into Secret Listening Devices 59
CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"
Preach it (Score:1)
Re: (Score:2)
But is normally is not a listening device.
Now that exploiting a device with a microphone can turn it into a listening device isn't exactly new either (I remember having heard the same about ISDN phones quite some time ago). However that doesn't change the fact that there's still a huge gap between tracking and listening.
Re: (Score:2)
Re: (Score:3, Informative)
The rotary phones I knew mechanically disconnected the line when the cradle was pressed. Of course if you had removed the receiver from the cradle and still thought you were not connected anywhere just because you had not dialled a number, you were stupid. You just would have had to listen to it to know that it was connected to somewhere. Note that unpressing the cradle was not possible remotely. Of course someone might have physically modified the phone, but that's on the same level as installing a bug.
Als
Re: (Score:1)
Re:Preach it (Score:4, Insightful)
I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.
I have done so, and what you say makes no sense. The old carbon microphones require a current flowing through them in order to produce any signal, and that current draw is what signals to the CO that the receiver is off-hook. Therefore the microphone has to be disconnected from the line when the phone is on-hook (or else the CO would see the phone as permanently off-hook) and that is indeed the case in actual phones.
Re: (Score:2)
Re: (Score:2)
Sounds very interesting, but unless you can link to transcripts or other documentation, referring to "court cases" and "intelligence operations" simply counts as weasel words.
Re: (Score:2)
When the phone is on-hook a minor current is still flowing through it. This is enough for sensitive equipment to pick up the background sound in the room, and this mode of monitoring has actually been used in US court cases, as well as US intelligence gathering operations. It only works with old-school analog phones though.
Whether there's any current flowing at all will depend on the exact design of the telephone, of course (there wouldn't be any at all in the one I looked at). However, I'm sceptical that any sound could be reliably picked up at the CO: the magnitude of the signal current would likely be dwarfed by the level of background noise from interference etc... if this has been claimed in court cases it seems more likely to me that it's a cover story to hide the actual surveillance techniques used (e.g. modifying the
Re: (Score:3)
You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line. Here's a quick list of the most common methods;
Re: (Score:2)
You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line.
If you can modify the phone, it's easy, granted. If you can intercept the line between the phone and the outside line, then with the right design of telephhone there's a possibility you might get something audible. But the claim was that the sound is always relayed all the way to the CO; picking up such a tiny signal at that distance (over all the noise picked up along the way) seems implausible to me.
Re: (Score:3)
I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.
OK, here is the schematic of the most widely used mechanical telephone in The Netherlands: the T65 [telefoonmuseum.eu].
When the telephone is on hook ("hoorn"), only the ringer (bel) is connected to the line.
I really cannot think of another arrangement: the ringer voltage is high (100V?) so you don't want that appearing over your mic or speaker.
Please share with us the schematic of the phones you disassembled, or are you really a troll?
Re: (Score:1)
Re: (Score:2)
See? My point has been proven for me. The "schematic" is wrong, but the "real" phones are different. Didn't you know this? And if you manage to dissect a "real" phone that proves your point then of course you are guilty of tampering with it You did something to it to hide the evidence. In fact, you're one of THEM, aren't you?
Sorry for talking over you, symbolset, but I stopped speaking with the insane a while ago.
Re: (Score:1)
Re: (Score:2)
Yes, I know the difference.
I have disassembled T65 telephones, myself, and I did not find any difference to the schematic I linked to.
That is why I asked you to post the schematic of the telephones you disassembled that were different.
Unless you can do so, and explain how a telephone off hook can be used to eavesdrop on you, you confirm my opinion that you are a troll.
A moderately competent one, I must say: I'm still feeding you...
Re: (Score:2)
So if the ringer was ringing and you pick up the phone there might leak some of the 90 V signal into the microphone?
And did you consider what happens if you put a High frequency signal onto the line? Some of the signal might be affected by the condensator combined with the mic, and a usable signal might gotten of it.
There are some court cases where the police declares that the bad guys forgot to hang up the phone and thus could be listened on... but if that is what technically really happened is a big ques
Re: (Score:2)
So if the ringer was ringing and you pick up the phone there might leak some of the 90 V signal into the microphone?
That wouldn't be too good for the microphone.
The switches of the hook are there to prevent that.
They connect/disconnect in such an order that the telephone exchange is signalled that you pick up the receiver so the ringer signal is switched off before the speaker and mic are connected. I once had a telephone where this dis not work properly. When you picked it up at the exact moment of a ring, a loud buzzing sound came out of the earpiece. Not nice.
And did you consider what happens if you put a High frequency signal onto the line? Some of the signal might be affected by the condensator combined with the mic, and a usable signal might gotten of it.
If the receiver is on hook, both mic and speaker are comple
Re: (Score:2)
Re: (Score:2)
That's what I expected. ;-)
My post was mainly intended for people who might believe his claims.
For them, maybe, facts would be helpful
Re:Preach it (Score:5, Informative)
I get +2 automatically because I have high Karma and I'm a subscriber. You get +1 for each of those. You could get the subscriber bonus for about $1/month. The high karma thing you have to work at. Karma is easier to get and lose though when all of your posts are +1 because you're a subscriber.
I could discount these in my settings, and I used to. Most subscribers with high Karma do, as they consider posting at 3 "shouting". If my Karma falls back to normal, I probably will do that. Once upon a time I had such bad Karma I was posting at -1. But I recovered.
I would still post just at 1, but the retarded sockpuppets and idiots do need shouting down with confidence. The price I pay for this is that I almost never get mod points.
Re:Preach it (Score:4, Informative)
Headline and summary are both misleading.
The exploit demonstrated is specific to Cisco VOIP phones. No other manufacturer's devices are affected.
Re: (Score:2)
Earlier versions of the Cisco VOIP phone firmware allowed users associated with the phone to connect via http and instruct the phone to initiate a voice stream from the phone's mic to another ip address and eavesdrop. The only indication that the mic was active and the phone streaming was a small arrow on the screen. That's since been fixed so that the function starts the voice stream remotely but the phone is muted. This could also be done the other way to stream sounds to the speaker on the phone - I h
Re: (Score:1)
Re: (Score:1)
Let's see, Red Light Cameras, the recent Counter-terrorism unit getting all our private data, strict gun laws, and now this? I think we might be heading into a George Orwell 1984. All we need now is the censorship police and the removal of the first amendment and we can officially say he was right and that we should have expected this.
And here I figured the flyers saying "Thought Police are double-plus good" at the movie theater were just a joke (it's just a small local/indie place ... not out of the ordinary to have stuff along those lines)
Person Of Interest (Score:2)
Physical access? (Score:3)
Seems like it'd be easier to just slap a traditional bug under the filing cabinet if you're going to need physical access anyway. And maybe leave behind a hardware keylogger while you're at it. Possibly also an annoyatron [thinkgeek.com]. :)
Re:Physical access? (Score:4, Interesting)
I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.
Re: (Score:1)
Re:Physical access? (Score:4, Interesting)
I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.
Besides, when you use the phone as your bug, you don't need to worry about a power source. Gaining entry to an office as a part of the janitorial company seems like a trivial exercise for someone determined to steal corporate secrets.
Of course, the drawback is that this would be trivial to detect with a simple IDS system: "Hey, why does the conference room phone keep sending data to a Verizon Wireless IP address?". While a traditional bug would require an RF sweep to find it - and if it saves up conversations and sends them out in a short burst, it can be nearly impossible to find without constant surveillance.
Re: (Score:2)
No reason that could not be done in this situation as well.
The hacked phone sends the communications to a hacked workstation on the same LAN segment. They're stored until later.
Then they're sent out over the next day or so with the regular traffic disguised as an encrypted HTTPS stream.
Re: (Score:1)
There are cisco cell phones? I thought this was a nice attack on corporate VoIP infrastructure.
Re:Physical access? (Score:5, Informative)
I saw the exploit demonstrated about a month ago (when it was still not yet public, but after Cisco had been told about it). It doesn't require physical access, but it does require you to be able to run something on the local network. (From slightly fuzzy memory:) The phones have some hard-coded settings which tell them about the correct server to use for getting the configuration data. They fetch this on every boot. Tripping a power circuit can cause the phones to reboot (I think they do every few days anyway, to get updates), and once you've done that then you've can use that phone to exploit the others. Getting root is simple, because the OS has a number of system calls that don't properly validate their arguments. Once you've done that, it's entirely a software bug, and it's in a system that is not designed for sysadmins to run code on, so your IDS probably won't catch it.
That said, in a sensible deployment, you should have the SIP phones on a separate VLAN and only allow them to send TFTP packets to the authorised boot server. In this configuration, the first step of the exploit won't work unless you previously pwn the boot server, the switch (and, let's face it, they probably run IOS, so it's not that hard...), or have physical access.
By the way, this is the same guy who previously discovered an exploit for a load of HP printers, allowing you to do things like have them email copies of any documents that are printed on them to some external site. He had quite a cute demo, which involved using a previously-pwned printer to hijack the phone network, so it's important to remember to have the phones and the printers on separate networks. And not to allow printers to connect to the outside world...
Re: (Score:2)
Re: (Score:2)
I have often thought that /. should automatically delete any AC post with a karma of -1. There is a potential for abuse, but it would get rid of many of the trolls very quickly.
is anyone else having an issue with the link? (Score:1)
On my phone here, and when I click the link the dark whatever domain appears briefly and tennis appears their page refreshes with this (screwed up) "url" /133696/show/3fd8d00f6b22f3da5506ef43feaf8168/?
location:
Re: (Score:1)
Then it became tennis by the magic of fat fingering an extra key and auto-correct!
Guys, The Dark Knight was just a movie, right? (Score:1)
Dark Knight, anyone? (Score:1)
Seriously, did they look at the Dark Knight and say "Hey, that massively illegal cell-phone-Sonar concept was a good idea, lets look into it"