If your office, like many others in businesses around the world, uses Cisco-branded telephones then you may have a big problem. The networking company issued a security advisory with the catchy name “cisco-sa-20130109-uipphone”.
“Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges”, the notice warns.
Two weeks ago, Columbia University Ph.D student Ang Cui reported the flaw. He detailed the process in talk “Just because you are paranoid doesn’t mean your phone isn’t listening to everything you say”, which entire video posted to YouTube December 28th.
The good news: physical access to the phone is required for this to be carried out. Of course, if you work in a public area — think security desk inside a company door, or even a locked office that maintenance and cleaning has access to — then there is no shortage of people who can carry out the exploit. In fact, we have seen in the past how easily social engineering can gain access to the most restricted areas of a building.
The hack allows an attacker to monitor phone calls and to even turn on a microphone and listen in on conversations within earshot. In fact, they could even stream them over a network.
Cisco acknowledges that “Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860 (registered customers only) Release Note Enclosure. Subsequently, Mr. Cui has spoken at several public conferences and has performed public demonstrations of a device being compromised and used as a listening device”.
The company goes on to promise that it will “conduct a phased remediation approach and will be releasing an intermediate Engineering Special software release for affected devices to mitigate known attack vectors for the vulnerability”.
And you thought that post-it note over your web cam was enough to keep you safe.