Research has been revealed that shows how to turn a Cisco VoIP phone into a remote eavesdropping device.
The 7900 series of Cisco IP phones were the target and much like attacks on printers and other devices that contain SOC, flash ROM and RAM the same approach can be adapted. The one main difference is the off the hook switch. If this feature is compromised it means all conversations can be examined remotely, not just when the end users make a call.
Ang Cui, the intrusion detection graduate who presented the research demonstrated how to modify the DSP to secretly turn on the microphone to which he then streamed to the audience.
An external circuit board was inserted into the targets phone. This is the most difficult part of the attack, but once a circuit is in place the entire organisations phone network is accessible. An app was then created that connects to the microphone on the chosen phone and makes the phone believe it’s ‘off the hook’. Cui was then able to not only stream the taped conversation to an audience but also with the use of Googles speech to text service which dictated the speech onto a projection behind.
The attack was reliant on a lack of input validation at the syscall interface. This allows arbitrary modifications in the kernel memory, as well as the arbitrary code execution from within the kernel.
To make vulnerable requires a drastic reconfiguration, which at least offers a little reassurance. The hacker would need extensive knowledge, far more sophisticated than the 2007 and 2011 eavesdropper attacks that victimised Cisco users.
Cisco has since issued a software patch which is available under the ID CSCuc83860.