At the 29th Chaos Communications Congress (29C3) on Dec 27th – 30th, 2012 one topic caught our eye and seemed to standout a little more than the rest. Ang Cui and Michael Costello presented “Hacking Cisco Phones: Just because you are paranoid doesn't mean your phone isn't listening to everything you say,” making a convincing argument to worry if you’re a Cisco Viop user. During the presentation they warned DARPA (Defense Advanced Research Projects Agency) funded researchers in the audience as Cui and Costello demonstrated how they could remotely turn on a phone’s microphone and eavesdrop on your private in office, off-phone conversation from anywhere in the world. And to make matters worse, if the phone is enabled with a webcam, they could even turn that on without anyone being the wiser.
Ang Cui, a 5th year Computer Science PhD candidate at Columbia University showed how easily someone could insert a piece of malicious code into a Cisco Viop phone and start listening in on private conversations from anywhere in the world. He stated that any of Cisco’s 14 Unified IP Phone models were vulnerable to the hack. Not only were the phones vulnerable, but Cui stated that a hacked phone could “then infect other phones on the same network and attack connected computers and devices such as printers.” Cui went on to say, “We could turn a phone into a walkie-talkie that was always on by rewriting its software with 900 bytes of code. Within 10 minutes, it could then go on to compromise every other phone on its network so that you could hear everything.”
During his impressive presentation Cui demonstrated a device they call the "thingp3wn3r" that connects to the local RJ11 serial port of a Cisco phone. Once attached it injects attack code that gives him control over the devices. He explains how Cisco phones are nothing more than a computer running a Unix-like operating system. During the nearly hour long presentation Cui and Costello go in-depth into how they were able to hack the phones using a mobile phone to connect to the thingp3wn3r over a Bluetooth connection to remotely deliver the exploit.
Cui developed the hack along side Columbia University Computer Science Professor, Salvatore Stolfo. Stolfo believes that the Cisco phone vulnerability brings up problems much bigger than espionage eavesdropping. He warns, “Any government that would like to peer into the private lives of citizens could use this. This is a great opportunity to create a low-cost surveillance system that is already deployed. It's a monitoring infrastructure that's free, when you turn these into listening posts." During Cui’s presentation he also warns, “Having a vulnerability in a phone like this gives you ears in many skyscrapers in cities around the world.” Michael Costello pointed out that Cisco phones are used in the White House, in Air Force One, in former CIA director David Petraeus’s office as well as in businesses large and small worldwide.
But it’s not just Cisco phones that are a concern. All Viop phones are at risk warned Professor Stolfo. He went on to say, “It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones—they are not secure.”
Yesterday, January 9th, Cisco warned of the vulnerability in a security advisory. In the advisory report Cisco states their phones contain,
“an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges.
This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.”
Cisco plans to release a software patch later this month for the weakness, which affects several models in the CiscoUnified IP Phone 7900 series. The vulnerability can also be exploited remotely over corporate networks, although Cisco has issued work-arounds to make those hacks more difficult.
According to research reported on Columbia University’s Engineering website the solution to the hack is called Software Symbiotes. Software Symbiotes is designed to safeguard embedded systems from malicious code injection attacks into these systems, including routers and printers. Cui stated, “The beauty of the Symbiote is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars—systems that we all use every day.”
The researchers see these Symbiotes as a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement. “They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation,” explains Cui. “And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”
Whether Symbiotes are the answer or Cisco will develop a different fix, time will only tell. Until then, it seems that we are left wide open and vulnerable. Our conversations are about as secure as they were in the age of the “Flinestones,” where all one had to do to eavesdrop was stand outside the hole in the stone wall that resembled a window. While the method for eavesdropping today may be a bit more involved, the return of information and clarity of what is captured is astronomically more precise! To see Cui’s intriguing presentation in detail, watch below.