Would you ever have assumed that your Cisco SIP phone was liable to not only be hacked, but also used as a bugging device to listen to your private conversations? There is a Cisco phone hack making it’s way through the news circuit.
I would have never assumed this was possible. But I was proven wrong when doctoral candidate Ang Cui at Columbia University discovered this Cicso phone hack vulnerability. It’s really both fascinating, and a bit scary how this came to be.
Cisco Phone Hack Discovery
Ang made an hour long presentation (along with a nearly 2GB Powerpoint file to show off his findings) showing that while most hackers would try to bypass a router’s firewall and go straight for the server, Ang would instead go for other things, such as networked printers or in this case, a Cisco SIP phone.
With Computer Science Professor Salvatore Solfo’s help he now has a device created that plugs directly into the phone’s serial port and can be used to send attack code.
This code then gives the attacker control over the device. From here the attacker can implement the Cisco phone hack which remotely eavesdrop on calls as well as turn the microphone on to listen in to conversations happening around the phone.
How It Works
Now imagine for a moment here. You’re an official city worker and you have in your possession a Cisco SIP phone.
One day you leave your office to go to a meeting. While you are gone one of your colleagues who you trust has one of these physical devices in their possession.
While you are out all they do is plug it into the serial port behind your phone, inject the Cisco phone hack code into the phone and walk out like nothing happened.
You come back and begin to use your phone. Now your colleague can listen in on your conversations, be them private business or intimate business.
No Fix At This Time
Cisco has come out and confirmed there’s currently no real fix for this at this time.
They are however in the works of a new firmware that will mitigate the possibilities of this happening but that is still months down the road. There only real saving grace here is that for this to work a person needs to physically be next to the phone to attach the device.
If they can’t get to the phone itself then you are safe. But can you really keep a watchful eye on your phone at all times just to make sure no one gets behind it?
That’s kind of stretching it but, as the old saying goes “Do what you gotta do.”
What are your thoughts on the Cisco phone hack? Are you concerned that your phone could possibly be targeted? Share your thoughts!