Pwnd Android conference phone exposes risk of spies in the boardroom

Researchers could listen in on meetings and plant backdoors

Confidential on white screen in boardroom. Photo by Shutterstock

Security researchers have uncovered a flaw in conference phone systems from Mitel that create a means for hackers to listen in on board meetings.

Boffins at Context Information Security managed to gain root access and take full control of a Mitel MiVoice Conference and Video Phone, potentially enabling them to listen to meetings without alerting the room's occupants. The flaws also created a way to plant a remote backdoor on to an enterprise network.

"Conference phones are ubiquitous in modern offices and are often found in less secure areas such as meeting rooms where they are privy to sensitive discussions, whether hosting a call or just sat on the table," said Neil Biggs, head of research at Context. "They also present an interesting attack surface, often in segregated VLANs that aren't visible to an infrastructure penetration test so may get overlooked. It's possible that organisations with a mature security posture might overlook the security of these kinds of devices, but it's important to have them tested."

The Mitel phone runs Android 2.3, which has known vulnerabilities and lacks security protections found in later versions of the operating system.

By taking advantage of the device's automatic configuration process, security researchers were able to abuse the "Ethernet Debugging" feature and start exploring with the Android Debug Bridge (ADB) over the network.

Once in, they uncovered several weaknesses that allowed the team to escalate the attack, most of which stemmed from the firmware being in a development/testing state. These flaws included the use of publicly available Android test-keys for signing system applications.

Context reported these issues to Mitel at the end of last year, along with a remote exploit that caused the device to reboot. The manufacturer responded by coming up with a series of interim mitigations (disabling Ethernet debugging, configuring a strong admin password to prevent access to the admin menu etc) and longer-term fixes.

In response to queries from El Reg, Mitel dismissed the severity of the flaws.

The integrity of our customer systems and data is a high priority for Mitel. We are aware of vulnerabilities in the MiVoice Conference Phone/MiVoice Video Conference Phone (also known as the Mitel UC360) that may potentially introduce security risk to customers. Working in co-ordination with Context Information Security, an independent cybersecurity research firm, Mitel R&D has published clear steps to fully mitigate the vulnerabilities on mitel.com. As of now, there are no known customer security breaches associated with this vulnerability.

Mitel's advisory can be found in its security centre here. ®


Biting the hand that feeds IT © 1998–2017