A flaw in the firmware coding of many voice over internet protocol (VoIP) phones could allow hackers to remotely install malware and eavesdrop on private conversations, according to researchers from Columbia University in New York. Computer science PhD candidate Ang Cui and Professor Salvatore Stolfo recently announced they had discovered multiple vulnerabilties in the phone's embedded software and demonstrated one hack they had engineered at the Chaos Communications Conference in December.
The attack demonstrated by Cui and Stolfo allows a remote user to turn on a telephone's microphone – or webcam, depending on the model – and listen in on conversations occurring either over the phone or in the room. Additionally, an attacker could disable the the LED light indicating the microphone had been turned on, allowing the eavesdropping to go undetected, NBC News reported.
In an announcement in December, Cisco listed 15 models affected. Although the company did not say how many phones were directly impacted, it recently announced that it controls about one-third of the IP phone market, with more than 50 million devices sold, NBC News noted.
"You can imagine the implications of this," Stolfo told NBC News. "Anything that is said behind closed doors isn't private, no matter how sensitive the conversation is. There is no privacy. How can you conduct business like that?"
He suggested to NBC News that a government or malicious agent could theoretically use hacked phones to create a low-cost monitoring infrastructure with a wide reach. Compared to a hack of Hewlett Packard printers discovered by the same lab in 2011, the phone vulnerability is potentially more dangerous, due to the capabilities of telephone systems.
"It’s not just Cisco phones that are at risk," Stolfo said in a separate statement. "All VoIP phones are particularly problematic since they are everywhere and reveal our private communications. It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones – they are not secure."
Inside the hack
Cui and Stolfo focus on the software security of embedded systems – a growing field as devices are increasingly networked and, by extension, made vulnerable to remote attacks. Since the chips in IP phones made by companies such as Cisco are programmed to connect to a central server for updated instructions, it would be easy for any hacker to insert malicious code.
The hack presented by Cui uses a small device preloaded with code that plugs into a phone's port and rewrites its software. According to Cisco, this method of attack means that hackers would need physical access to a telephone except under rare configuration settings. Cui and Stolfo contend that a hacker could penetrate the entire network by gaining access to a single phone, including that of a remote worker, or that an attacker could use a network breach to access a specific phone.
"You could attack the network, and then attack a single person's phone," Cui told NBC. "Say, the CEO, at home."
According to the researchers, the nature of the flaw is such that a patch cannot fully repair the vulnerabilities. Cui and Stolfo presented a defense technology they have developed along with the hack that is designed to work symbiotically with the host software in embedded systems and prevent direct attacks. Other than using their "Software Symbiotes," the only solution for the vulnerability would be to rewrite the firmware.
Vendors of IP phones and other embedded systems can strengthen the software security of their devices by instituting a more secure development lifecycle that includes tools such as source code analysis software. As networked embedded systems become increasingly prevalent, preventing vulnerabilities in the coding process may take on added importance.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.