Cisco VoIP Phones Vulnerable to Malware

10 Jan 2013

2013 got off to a bad start for leader in networking, Cisco, when Ang Cui, a Computer Science PhD candidate from Columbia University, and Computer Science Professor Salvatore Stolfo, discovered troubling vulnerabilities in the company's VoIP phones. Cisco's VoIP devices are used worldwide by many enterprises including major corporations, banks and governments.

Cui and Stolfo found that malicious code can easily be inserted into any of the 14 Cisco Unified IP Phone models, enabling a third party to eavesdrop on conversations on the phone and in nearby surroundings, from anywhere in the world.

"It's not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications," said Stolfo. "It's relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones - they are not secure."

Stolfo and Cui examined the phones' firmware and discovered there were numerous vulnerabilities. One of their singular concerns is embedded systems including VoIP phones, printer and routers, which are so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses routinely used on the Internet. The researchers have been working design security technology to combat malware.

"Binary firmware analysis is commonly used to identify faulty software by the 'white hat' hackers and security scientists and researchers like our team," Stolfo said. "We performed this analysis to demonstrate a new defense technology, called Software Symbiotes, that protect them from exploitation."

Software Symbiotes is able to prevent hackers from injecting malicious code into embedded systems including VoIP phones, printer and routers.

"This is a host-based defense mechanism that's a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism," Cui explained. "The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defenses."

According to the researchers, the Symbiote monitors its host's behavior, making sure it is operating correctly. Should the host malfunction, the Symbiote will prevent any harm begin caused. Any attempt to remove the Symbiote will render the host inoperable.

"The beauty of the Symbiote," noted Cui, "is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars - systems that we all use every day."

Cisco released a patch to correct the vulnerabilities, but it didn't work. "It doesn't solve the fundamental problems we've pointed out to Cisco," Cui explained. "We don't know of any solution to solve the systemic problem with Cisco's IP Phone firmware except for the Symbiote technology or rewriting the firmware. We plan to demonstrate a Symbiote-protected Cisco IP Phone at an upcoming conference."

In response to the ineffectiveness of its initial patch, Cisco plans to release a permanent fix. A company spokesman announced that Cisco's A-team of designers is working on the new patch. The company is set to release a security advisory by the end of the week. (CU) Link