Cisco Unified IP Phone Security Vulnerability

Cisco has updated its response to a security vulnerability that could, under the right conditions, allow someone to remotely eavesdrop on audio near a Cisco phone. The attack involves accessing the web server of a Cisco IP phone, and then issuing a command to instruct the phone to go off-hook in speaker-phone mode. Any audio picked up by the remote phone can then be streamed to a remote phone.

In order for the attack to occur the following conditions must be met:

• The internal web server of the IP phone must be enabled. The web server is enabled by default.
  
• The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
  
• The attacker must possess or obtain valid Extension Mobility authentication credentials.

For those who don't know, extension mobility is a very handy feature that allows an individual to log-into an IP phone. Once authenticated, the IP Phone is configured according to the user's normal extension. The feature allows a single phone to be shared among multiple individuals. It also has great mobility benefits in that an individual can for example, "virtually" move his or her phone to a new work location. For example, if you were going to work in a conference room for the day, you could log into the conference room phone.

Details on how to exploit the vulnerability.
Cisco's Security Response, Document ID: 100252

Once again, I urge industry professionals to counter the fear mongering hype and provide some perspective on the risk and advice on how to mitigate it.

Rick McCharles
VoIP Consultant, Toronto
RIC Services



Stumble It!