Monday, December 17, 2012

Researcher exposes VoIP phone vulnerability

Note: This should be an alarming article, and wake up call for C-Suite Executives!  When was the last time your company scheduled a Cyber TSCM Sweep? Never?  Contact me, we can help. ~JDL

During the recent Amphion Forum, a conference where device and mobile security experts from different disciplines gather, Ang Cui, a fifth-year grad student from the Columbia University Intrusion Detection Systems Lab, demonstrated how connected devices such as networked printers and voice-over-IP (VoIP) phones can be easily hijacked to give intruders virtually unlimited remote access to extremely sensitive information and allow them to eavesdrop on private conversations.
Using a common Cisco-branded VoIP phone, Cui inserted and then removed a small external circuit board from the phone's Ethernet port -- something Cui asserted could be easily accomplished by a company visitor left unattended for a few seconds -- and starting using his own smartphone to capture every word spoken near the VoIP phone, even though it was still 'on-hook.'
While he did not specify the precise vulnerability, Cui said it allowed him to patch the phone's software with arbitrary pieces of code, and that this allowed him to turn the Off-Hook Switch into what he called a "funtenna." According to Cui, once one phone is compromised, the entire network of phones is vulnerable. Cui later said he could also perform a similar exploit remotely, without the need to insert a circuit board at all.

No comments: