We don’t give too much thought to our VOIP phones – they look like regular old landline phones and seem pretty innocuous sitting on our desks. However, a presentation from the recent 29th Chaos Communications Congress held last week in Berlin should be a wakeup call for security professionals. 2 Columbia University researchers demonstrated how they used vulnerabilities in the operating system for Cisco’s VOIP phones in order to take control of the devices and turn them into eavesdropping devices capable of picking up conversations in their vicinity and relaying them to a remote attacker. As a bonus, they showed how to make their hack a permanent part of the phone, preventing patches and upgrades. Definitely worth viewing for security professionals.
What to do about it? Well, when Cisco releases a working patch for this problem, I would definitely suggest upgrading all affected phones’ firmware, I would also give some thought to how your VOIP VLAN is protected and whether having unattended feature phones in public parts of your site is a good idea.