Cisco has admitted that several of its small-business IP phones are vulnerable to eavesdropping – highlighting continuing security weaknesses in Voice over IP (VoIP) systems.
Cisco warned in a 19 March advisory that a firmware flaw in its SPA300 and 500 series IP phones allows attackers to listen in on calls and hijack the device to make calls.
The problem, CVE-2015-0670, is effectively a ‘zero-day' flaw with no patch or update available, the company said.
Cisco blames the flaw on “improper authentication settings in the phones' default configuration” and explained: “An unauthenticated, remote attacker could exploit this by sending a crafted XML request to the affected device, allowing them to access sensitive information by listening to the audio stream of an IP phone, or make phone calls remotely.”
Cisco added: “A successful exploit could be used to conduct further attacks.”
The company confirmed that its SPA300 and 500 Series version 7.5.5 phones are vulnerable, and later versions may also be affected.
But Cisco has downplayed the threat level, saying: “To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit.”
Even so, Cisco is advising systems admins to lock-down the affected phones. It says companies should “enable XML execution authentication in the configuration settings of affected devices, allow only trusted users to have network access and use a solid firewall strategy”.
The flaw was discovered by Chris Watts, owner of security services firm Tech Analysis, based in Sydney, Australia - who has track record of identifying IP phone and other comms products vulnerabilities.
Watts previously revealed XSS (cross-site scripting) and arbitrary code execution flaws in Cisco's SPA300 and 500 IP phones, and vulnerabilities in its other modem and wireless residential gateway products.
The latest zero-day has turned the spotlight on the continued insecurity of IP business phones, which is made worse by search engines such as Shodan which lists web-connected phones, routers and other Internet of Things devices, making it easier for attackers to find vulnerable systems.
But UK cyber-security expert Amar Singh, chair of the ISACA UK Security Advisory Group and founder of the Cyber Management Alliance, warned that IT people still do not take VoIP systems security seriously, even though “it's basically a major backdoor into the network”.
He told SCMgazineUK.com: “VoIP is considered ‘voice' - it's being labelled as voice technology rather than as part of your network. And it's seen as a boring technology, there's so much else that is so much sexier that it falls between the cracks...it's just a VoIP threat, who cares?
“But the level of threat is, in my opinion, fairly significant, in that if the infrastructure is poorly designed, it's basically a major backdoor into the network.”
Singh said: “Once it's implemented, how many people go back to actually review their VoIP infrastructure? So review it, and carry out a serious penetration test attack to see if you can cross over from your VoIP infrastructure to your regular data network – people will be surprised.”
Fran Howarth, a senior analyst at Bloor Research, agreed many companies still do not take VoIP systems security seriously, even though problems - including eavesdropping, fraud and DDoS attacks - have been highlighted in the past.
She told SCMagazineUK.com via email: “This is certainly not the first time these issues have been publicised, especially with regard to Cisco. There are also many known problems with Skype.
“The current problem cannot be fixed until a firmware patch is made available. In the meantime, people are being advised to monitor for intrusions, which could be fairly labour-intensive.
“Perhaps the best advice would be to ensure that such phones are only used in a secure manner, with speakerphones switched off and not used in insecure situations.”