Call Interception Demonstrated On New Cisco Phones

mask.of.sanity writes "Researchers have demonstrated a series of exploits that turn Cisco IP phones into listening bugs, and could allow a denial of service attack capable of silencing a call center. It allows internal staff and competitors with a little publicly-available information to hijack the phones, wiretap calls and eavesdrop on confidential meetings. The attacks work through a sequence of exploits against the latest Cisco phones enabled to run off the shelf. Most people are vulnerable, the researchers say, because they do not harden their systems in line with recommended security requirements."

Security is #1

[BoRegardless]

There have been so many security holes in all sorts of hardware and for so long, that I have to think that there is a basic failure of top management to understand and grasp the issues involved in the trust people place in their products.

Having top managers make decisions on whether a program gets top flight security implemented from day 1 of a program's inception would be a big mistake.

Security today ought to be #1. Ask Sony for instance, or any one of the other dozen recent companies who have failed basic updates to their servers even after the lack of updates was published publicly online.

Sheesh. What does it take to get top management "on board".

Hang on

[Spad]

A Cisco spokesman said the networking vendor was serious about security and advised users to apply the relevant recommendations in the manual to secure their systems.
[...]
The weaknesses result from Cisco's reliance on web functions that gave users functions at the cost of easier penetration for hackers.
[...]
“The book says to shut off web services,” Wesley said

So why the hell is Cisco shipping devices with features that they themselves recommend disabling for security reasons, unless you have specific need for them, enabled by default?