Your Desk Phone May be Spying on You

A year ago two Columbia University Intrusion detection Systems Lab PhD candidates, Ang Cui and Michael Costello, demonstrated a method of hijacking HP printers by sending the printer a print job with a specific embedded code. Once compromised, the printer would surrender copies of all documents printed on it and give the hacker access to the corporate network the printer was on. The revelation send HP into a crash effort to patch virtually all its office printers to close the vulnerability.

The bad news – or good news depending on your viewpoint – is that Cui and Costello are back. At the 29th Chaos Communications Conference on December 27, 2012, they presented the results of their latest research – a way to hack Cisco IP phones to turn them into espionage devices and entries into the network. Their method uses a small physical device, the th1ngp3wn3r, that in less than two minutes captures control of a Cisco IP phone.

From that initial entry point the hacker can remotely expand the network of captured phones to include any and all other Cisco phones on the network. It allows the hacker to turn on a compromised phone’s handset microphone at any time and listen into any conversations within range with, as they demonstrated, pretty good reception, without providing any visible evidence that the microphone is on. The conversations can be transcribed and the transcriptions delivered over the Internet to any virtual location. Those phones can also be used as entry points from which to attack other network assets including corporate servers. And once uploaded, the malware automatically burns itself into the ROM chip on the phone, so that the only way to remove it is to physically remove the chip. Wiping the phones does not remove the code, which will simply reload itself from ROM. And the only way to guarantee that you are not being spied on through your desk phone is to disconnect the handset.

Keys to the Kingdom

How serious is this? Cui and Costello showed a photo of President Obama and Vice President Biden in the Oval Office with a Cisco phone sitting prominently on a corner of the President’s desk. In another photo a Cisco phone was on the President’s desk on Air Force One. In a third, former CIA head and Gen. David Petraeus sits in his former office in front of three Cisco phones.

And, lest the audience think that the presenters have a vendetta against Cisco, they pointed out that the same exploit, with some adjustments, would probably work on IP phones from other companies as well. These phones are built of industry standard boards, chips, and other components. The core processing architecture of the Cisco phones are very similar, in fact, to the HP printers that the team hacked a year ago.

One beauty of this exploit is that it enters the phone through the auxiliary port where the device plugs in, rather than the network port. This is left unguarded because of the presumption that no bad guys would dare try to physically enter the office. But gaining access is not that hard. In their illustration, Cui and Costello presume that the initial attack is made on a public lobby phone and then spread through remote command to other phones. However, it also could be introduced by a seemingly legitimate business visitor, a disgruntled employee, or a contractor such as a cleaning person.

Cui lists the impressive set of security features that Cisco built into its phones that make them sound all but invulnerable. These include:

  • Signed firmware,
  • FIPS-certified crypto,
  • A Secure version of Unix,
  • Minimal Attack Surface, and,
  • Secure admin interface.

Yet the attack strategy, while sophisticated, is not that difficult.

Countering the Exposure

The team, which is working under several federal agency grants, initially contacted Cisco to demonstrate their exploit in October. Within a week of confirming the exploit, Cisco had issued a patch – 9.3.1-ES10 – to counter it. This patch is available upon request, and it does deny the original exploit. But it turned out that all Cisco did was alter a single pointer to terminate a syscall under specific circumstances. The team was easily able to work around that with a new version of the exploit. As of the date of the presentation Cisco had not issued any further patches to rectify the situation.

Cui and Costello and their lab have their own comprehensive defense tool that, they say, will protect devices such as printers and IP phones from attack, the MEET Symbiote. They did not have time to explain how it works in the presentation but have promised to do a demo of a Cisco phone protected with the Symbiote at RSA 2013 this spring.

The overall point they made is that office phones, printers, and other auxiliary devices are really general purpose computers underneath their shells. These devices can be attacked using the same basic techniques that are used to compromise desktop and laptop computers. Often it is much easier to attack them because they are seldom secured to anything like the extent that computers are. And once compromised they can provide valuable information to corporate or foreign government spies themselves. But they also are compute nodes on the organization’s network that can be used to launch attacks on the company’s central servers. So if you think your printer, office phone, and other devices are spying on you, you may be right.