Security Flaw Opens Cisco VoIP Phones To Eavesdropping
The San Jose, Calif.-based vendor issued a security alert Wednesday that identified 11 models of its Cisco Unified IP Phone 7900 Series handsets that are vulnerable to the attack. All Cisco IP phones that support Extension Mobility, a feature that allows users to log into a phone and configure it as their own on a temporary basis, are vulnerable, the company said.
Cisco classified the alert as a low-level risk with a base score of 4.0 on the Common Vulnerability Scoring System. No updates are available, though Cisco identified several workarounds to combat the problem.
Cisco's security alert came in response to a presentation given at the Hack.Lu 2007 security conference by researcher Joffrey[STET] Czarny, a penetration tester for the security research division of Telindus, a Belgium-based systems integrator.
An attacker with valid Extension Mobility authentication credentials could use a properly configured Cisco IP phone to eavesdrop on ongoing conversations around the affected device, a breach that could lead to the disclosure of sensitive information, according to the alert.
For attackers to exploit the vulnerability, the internal Web server of the IP phone must be enabled, which is a default setting. The IP phone must also be configured to use the Extension Mobility feature, which is not a default setting. In addition, the attacker must have valid Extension Mobility authentication credentials. An attacker could procure authentication credentials by gaining physical access to the network and inserting a sniffing device between an IP phone and switch port, according to the alert.
Phones would exhibit visual queues if they were being exploited by the vulnerability, including illuminated speakerphone buttons and an off-hook indication on their LCD displays.
Cisco identified three workarounds to ward off attack, including disabling the internal Web server on IP phones, disabling the Extension Mobility feature and disabling the speakerphone/headset functionality on IP phones. The vendor also said the attack can be mitigated by restricting access to the internal Web server of IP phones (TCP port 80) using an access control list.