Many offices have IP phones, but did you know that they might be vulnerable to hackers? Depending on the phone, someone could use the device to spy on you remotely. We spoke with Ang Cui, cybersecurity expert and founder of Red Balloon Security, who discovered the exploit in a Cisco phone. Here’s a look at what someone might be able to do with it and what you can do to protect yourself. Following is a transcript of the video.
Ang Cui: A hacker can actually listen to everything that’s going on in the room that the phone is in regardless of whether you are on the phone call or not.
Hello, my name is Ang Cui. I am the founder and chief scientist of Red Balloon Security.
So we took a Cisco phone. We took it apart, and we looked at it not like a telephone, but like a computer. It has a handset, it has a screen, and it has a bunch of numbers you can dial, but it also runs a whole lot of very vulnerable software.
We extracted the firmware that runs on that computer, and we systematically mapped out things that look like vulnerabilities. And over the course of two and a half months, we figured out exactly where the vulnerabilities are in a portion of the system that we can reach as an attacker.
So what can someone do if they were able to exploit the software and firmware running inside your phone? Well they can certainly listen to you when you’re making phone calls. They can probably figure out who you’re calling and when. But it goes way beyond that.
The microphone never turns off, so the hacker can listen to every single thing that the phone hears one hundred percent of the time, without stop.
In order to pull out of this attack and a lot of the other attacks we’ve disclosed over the years on IP phones, you don’t need physical access. You can hit this vulnerability over the network, remotely. In fact, a few years ago, we made a demonstration at DEFCON, where we got a resume to hack a printer, and then we got the printer to hack a router, and then we got the router to hack a phone. And this was all done automatically in real-time, live on stage. So it is certainly possible for an attacker to exploit the IP phone sitting on your desk behind a firewall from somewhere else on the internet.
After we got access to the microphone, we decided to do something more fun, and we feed all that data into a speech-to-text engine, and we Tweet out the output of that. So instead of having to listen to all these conversations, you can just read it on Twitter.
So this demo was producer as part of a greater research into embedded device vulnerability. And we’re happy that we work very closely with Cisco in order for us to hand over the vulnerability.
We disclosed it to them, and they were able to very quickly turn around and issue a patch that fixed this specific security problem. I’m really happy to say that Cisco has updated the firmware on those phones, so that specific vulnerability is no longer there, in the IP phones that have been updated.
So there a few problems with this. One: according to the research that we put out, very few people update firmware. This is not … hopefully this isn’t news to you. You probably, like everyone else, don’t want to update all of the devices’ firmware as soon as they come out. And, in fact, the world is really bad at keeping the firmware of embedded devices up-to-date.
So even if the vendor issues is a security patch for the Cisco phone, the chances that all of the world have applied this patch is very low. The second thing is this is not a special case. We looked at a number of other IP phones, and we did not find a single IP phone that didn’t fundamentally have security vulnerabilities that could allow the attacker to achieve exactly where you’re seeing here on those phones. So if you have an IP phone on your desk right now, chances are there are known vulnerabilities that will allow an attacker to do exactly what we’re showing you as possible on the Cisco phone.