Feeds

Cisco VoIP bug poses eavesdropping risk

Noise on the wire

Choosing a cloud hosting partner with confidence

A bug involving 7900 Series IP phones from Cisco creates a means for hackers to eavesdrop on calls.

The flaw stems from security shortcomings in the Extension Mobility feature of the phones, which allows users to configure a Cisco IP phone as their own. The feature is disabled by support, which is just as well because when enabled the feature fails to encrypt signalling communications between a device and an internal web server. This, in turn, creates a means for miscreants to sniff out authentication credentials. These credentials might subsequently be misused to cut off users or eavesdrop on streaming media connections associated with calls.

However, an attack along these lines will only succeed in cases where would-be hackers are already in possession of valid Extension Mobility authentication credentials. Attackers would also need to have access to a targeted network. Although remote hacking is theoretically possible, a bigger danger would appear to stem from internal attacks.

In a throwback to the early days of wiretapping, successful attacks based on the vulnerability leave a tell-tale noise on the wire.

"Internal testing by Cisco also revealed that the described attack produced static noise on the IP phone while it was under attack," Cisco said in an advisory that explains the issue and details possible workarounds.

The network giant credits researcher Joffrey Czarney of Telindus with discovering the flaw. Czarney presented a paper on his research at the recent Hack.Lu 2007 security conference, which was held last month in Luxembourg. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
The cloud that goes puff: Seagate Central home NAS woes
4TB of home storage is great, until you wake up to a dead device
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.