Remotely Hack any Cisco VoIP Phone

Ever year hackers research and reverse engineer mainstream electronics and commercial products in the market.

At 29C3, security researchers from Columbia university demoed what they call to have achieved Hacking Cisco VOIP phone to remotely listen to you all day long. They call this “just because you are paranoid doesn’t mean your phone isn’t listening to everything you say. Hackers were able to remotely turn on a phone’s microphone and eavesdrop from anywhere in the world.

Cisco is everywhere

Cisco is the no.1 VOIP provider, globally. There are millions and millions of Cisco VOIP phones in offices from small companies to most sensitive organizations. From Obama’s office to research centers in DARPA, all use Cisco VOIP phones, and this hack makes each one of them vulnerable.

Remember the scene in the Movie Dark Knight where Morgan Freeman (Lucious Fox) turns every single phone in the Gotham city into a Sonar device looking for audio signals? Well, this hack does almost that. Turns every VOIP phone into a potential voice bug living in offices, research centers, government agencies, you name it.

Why Hackers target Cisco? or Why Consumers choose Cisco

Why do all these offices use Cisco products? Well, Cisco assures its consumers with over 200 pages of a book that says how secure is the device. Cisco claims that their product runs only 100% signed binaries, checksums on data, use of secure admin console, random key challenges, secure os, blah blah.
Call it their marketing trap, everyone buys Cisco.

The Methodology: Hacking the Cisco VoIP phones

The hacker realized that most of the claims were simply not true. Cisco’s VoIP phones check for signed binaries only during boot. Once boot process completes, its fairly easy to add a user binary into IOS with standard user.

The hacker then talked about how he was able to find an exploit. They use a small wired device called a “thingp3wn3r” to plug into a RJ11 serial port of a Cisco phone and upload malicious code. Researchers then used an android smartphone to connect to the thingp3wn3r over a Bluetooth connection to remotely deliver the exploit.

They used syscall fuzzer to findout all different syscalls supported by the system. They found the syscalls which were able to crash the kernel and the whole system. In a case of Kernel-Panic, the system dumps the memory dump, thereby making it possible for the hackers to analyze what caused the crash .

On carefully analyzing the cause of crashes, they were able to create and execute a malicious code inside user space and direct a syscall that resulted in execution of an instruction to open a door to have Root access. And once you’ve the root, the potential is simply unlimited.  Using the hacked phone, hacker can then infect other phones on the same network and attack connected computers and devices such as printers.

Cisco phones have red colored LED that switches on before microphones are enabled. Somehow, even the Audio DSP has the pre-requisite. Hackers thought there is really no work around for this until they realized that there was a second microphone on the desk phone that was in the handset. This microphone is pretty sensitive to pickup surrounding voices, unlike one would expect it to. The way to turn it on is to lift the cradle which in turn completes the circuit. That was reprogrammable and hackers made it always connected.

Soon after the security analysts contacted Cisco, they worked on a fix that was found to be totally in-effective as per hackers. Cisco had put a one-line fix that would just not work. Cui said, “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”

Hacking Cisco VoIP [Full Video with Demo]

Cisco is finally taking this seriously. They have put down a task farce to work on a permanent fix. But researchers aren’t convinced. They claim that if the compromised Phone is injected with Rootkit, it can reprogram the ROM, which is actually a Flash memory. Once this is permanently written to this ROM, there’s no way you can fix the hacked microphone with any sort of software update fix.

Who is at Risk?

“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications.”

Hacking Cisco Phones [PDF] Slide 210 states, “Cisco Unified IP Phone 7900 series, also referred to as Cisco TNP Phones contain an input validation vulnerability. A local authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.”

The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.

The following Cisco Unified IP Phone devices are affected:

  • Cisco Unified IP Phone 7975G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7965G
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7942G
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7931G
  • Cisco Unified IP Phone 7911G
  • Cisco Unified IP Phone 7906

The following models have reached end-of-life (EOL) status (for hardware only):

  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7906

Fix for Cisco VoIP hacking

The concrete solution to this problem is a “new defense technology, called Software Symbiotes, that protects them from exploitation. The beauty of the Symbiote is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars—systems that we all use every day.”

Symbiotes are a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement. “They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation and, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”

Workaround

Cisco is working on the patch “CSCuc83860 bug,” till then you’ve to settle down with workarounds. Thingp3wn3r  suggest “Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network.”

Its time for Cisco to start caring for their customers.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us@geeknizer OR on Facebook FanpageGoogle+

GD Star Rating
loading...
GD Star Rating
loading...
Remotely Hack any Cisco VoIP Phone, 9.0 out of 10 based on 1 rating

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.