The Register ®

Biting the hand that feeds IT

The Register » Hardware » Data Networking »

Original URL: http://www.theregister.co.uk/2007/11/29/cisco_voip_bug/

Cisco VoIP bug poses eavesdropping risk

By John Leyden
Published Thursday 29th November 2007 16:04 GMT

A bug involving 7900 Series IP phones from Cisco creates a means for hackers to eavesdrop on calls.

The flaw stems from security shortcomings in the Extension Mobility feature of the phones, which allows users to configure a Cisco IP phone as their own. The feature is disabled by support, which is just as well because when enabled the feature fails to encrypt signalling communications between a device and an internal web server. This, in turn, creates a means for miscreants to sniff out authentication credentials. These credentials might subsequently be misused to cut off users or eavesdrop on streaming media connections associated with calls.

However, an attack along these lines will only succeed in cases where would-be hackers are already in possession of valid Extension Mobility authentication credentials. Attackers would also need to have access to a targeted network. Although remote hacking is theoretically possible, a bigger danger would appear to stem from internal attacks.

In a throwback to the early days of wiretapping, successful attacks based on the vulnerability leave a tell-tale noise on the wire.

"Internal testing by Cisco also revealed that the described attack produced static noise on the IP phone while it was under attack," Cisco said in an advisory (http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml) that explains the issue and details possible workarounds.

The network giant credits researcher Joffrey Czarney of Telindus with discovering the flaw. Czarney presented a paper (http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf) on his research at the recent Hack.Lu 2007 security conference, which was held last month in Luxembourg. ®

© Copyright 2008