Call Interception Demonstrated On New Cisco Phones

mask.of.sanity writes "Researchers have demonstrated a series of exploits that turn Cisco IP phones into listening bugs, and could allow a denial of service attack capable of silencing a call center. It allows internal staff and competitors with a little publicly-available information to hijack the phones, wiretap calls and eavesdrop on confidential meetings. The attacks work through a sequence of exploits against the latest Cisco phones enabled to run off the shelf. Most people are vulnerable, the researchers say, because they do not harden their systems in line with recommended security requirements."

Enterprise Systems

[Anonymous Coward]

Do we need any more evidence that 'enterprise level' is nothing more than a euphemism for 'poorly understood clusterfuck' ?

Re:Enterprise Systems

[fuzzyfuzzyfungus]

Your ill-understood slander of Enterprise Solutions will not be tolerated.

Any two-bit neckbeard with a sourceforge account can create a "poorly understood clusterfuck."

However, only by leveraging the organizational synergies of a corporation committed to customer-centric excellence across multiple value centers is it possible to create a "poorly understood clusterfuck" backed by overpriced consultants, soporific slide decks, documentation that addresses the hypothetical case of a 50,000 seat installation across hundreds of multinational satellite sites; but fails to have any useful information on why some critical service leaks memory and needs to be restarted every 18 hours, a custom set of Vizio(tm) objects that allows middle managers and Certified Solution Architects to emulate understanding of the system with impressive graphical flourishes, and a mandatory "maintenance contract" that makes you eligible to pay a per-incident fee to have some poor dude in Hyderabad read a script at you.

Freetards, they just don't understand the value of good commercial Solutions.

Re:

[Zerth]

It'd be awesome if companies would just put the script they give the guys in Hyderabad on the web so I can read through it myself.

That would help me avoid calling, as well as plan my responses when I do call to minimize the time to reach somebody who has actually used the product.

Re:Enterprise Systems

[Sarten-X]

Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

...

Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

...

Shenk you far callink Eenterprice Grummar Solootions. Moy nam is "Jason". How cane I be helpink you today?

I see you are havink a service agreement with us. Zees ees very good. I will be transferrink you now to "second-tier support". Thank you for callink us today. Goodbye.

...

Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

...

Entaprise Gramma Solutions. This is Bob. What can I do for ya?

All-righty. Ye've got yerself a nice little post there. Now, that there semicolon in your third paragraph should be a comma. That's it. Now, according to this here agreement, you'll be billed $99.95 for this call. Thanks for callin'.

Re:

[chefmonkey]

That's not tier 2 support! That's straight off the "reboot your paragraph" script they give to the first-line flunkies. From http://www.hamilton.edu/writing/writing-resources/common-writing-mistakes [hamilton.edu] --

As a strong comma, [the semicolon] can be used to provide strong separation of two independent clauses with a coordinating conjunction (normally, a comma provides this separation) or to separate a series of phrases or clauses with internal commas.

(emphasis mine).

The clause preceding the semicolon has a numbe

Re:

[Sarten-X]

...so you're saying that Enterprise Grammar Solutions is as functional as any other "enterprise" solution?

Re:

[Dersaidin]

Oh, that explains how Skype was worth $8.5 billion.

Re:

[bell.colin]

"Enterprise Solutions"
"leveraging the organizational synergies"
"customer-centric excellence"
"value centers"
"consultants"
"Vizio(tm)"
"Certified Solution Architects"

My marketing/buzzword BS meter just caught fire after reading this.

Re:

[Bryansix]

Let's stop bein disingenous here. This article is about Cisco. If you purchase and maintain a Cisco SmartNet contract on a piece of equipement then you can call (toll-free) into TAC (technical assistance center) and speak directly with an engineer who probably knows more about IOS then you could dare to learn in a lifetime. This engineer will then usually be able to immedietely connect to your device and fix the problem. No other company has had better support and I do this for a living.

Re:

[swalve]

I agree. I am very impressed with the detail and rigor that goes into the Cisco training. I haven't seen anything close to it since the old Compaq x000 series of Proliants was introduced, or the older HP Laserjets, where the manuals were delightfully Apple II-like. Imagine, teaching people EVERYTHING about a system.

Once upon a time...

[Anonymous Coward]

My naive inexperienced self presume 'Enterprise' to mean rock-solid, if not crufty software like Solaris, AIX, etc. Not shiny by any stretch of the imagination, but solid.

Now I know the truth, that by and large 'Enterprise' software is entirely convoluted fragile pieces of crap that mandates large amounts of work to maintain. They do not win because of quality, they win based on smoozing salespeople and executives and/or architects intentionally sabotaging things for the sake of job security.

Re:

[swalve]

"Enterprise" means systems that are scalable, expensive, and have better warranties.

Re:Enterprise Systems

[pushing-robot]

I dunno; when you go to Cisco.com and click on Enterprise, you're presented with the line:

"Break down barriers to reach people and information wherever and whenever you need them."

Sounds like they understand it perfectly.

Re:

[datapharmer]

Wow, that is eerily accurate. In an IT office for a network I took over management of there are rows of filing cabinets. Among the thousands and thousands of pages of electronic manuals and config files pointlessly printed on a laser printer are some email correspondence that sound almost identical to what you wrote. Not sure why the previous guy printed all that out, he clearly didn't read or understand any of it given how the network was setup. That's ok though, he hired a consultant at some absurd rate t

Re:

[Bryansix]

This is so true. This is a big reason why instead of using a one-time consultant, you should use a managed services provider who actually monitors, updates and maintains your network.

Re:

[clang_jangle]

Hehe...

Hold me closer frosty poster
count the exploits zero day
sniff my TCP/IP
you had a busy day today

Re:

[KingRatMass]

And it's all the fault of Apple, Microsoft AND George Bush!

FTFY!

Security is #1

[BoRegardless]

There have been so many security holes in all sorts of hardware and for so long, that I have to think that there is a basic failure of top management to understand and grasp the issues involved in the trust people place in their products.

Having top managers make decisions on whether a program gets top flight security implemented from day 1 of a program's inception would be a big mistake.

Security today ought to be #1. Ask Sony for instance, or any one of the other dozen recent companies who have failed basic updates to their servers even after the lack of updates was published publicly online.

Sheesh. What does it take to get top management "on board".

Re:

[VortexCortex]

The cost of doing business is rarely the price of doing business.

Re:

[BoRegardless]

"The cost of doing business is rarely the price of doing business."

Very good point. Warren Buffett noted "Price is what you pay; Value is what you get"

For managers who slack on security, "Security Cost is what you pinch on; crisis is what you get"

Re:

[speculatrix]

For yoda: is security cost what you pinch on is; is crisis what you get!

Re:

[mcmonkey]

In Soviet Russia: security cost pinches you!

Re:

[swalve]

This is what you get when you put "operating systems" on things like toasters, telephones and gas pedals, rather than purpose built firmware. We will figure it out eventually, I hope.

WHEW!

[Lumpy]

Glad I only run cisco phones that are outdated and run a SIP firmware.

Cisco makes great hardware, but their phone system software (and pricing) utterly sucks. I am doing things with asterisk here at the office that makes the cisco rep's jaw drop.

Re:

[Lumpy]

Not a problem. You never have done a asterisk deployment before have you.

Re:

[speculatrix]

you could probably do some dns and arp poisoning so that when phones boot they will use your tftp server to acquire their configurations and not the company one, so even if the phones' configs are apparently secure, you have to protect your lan.

Re:

[Lumpy]

If you can do that then I have far bigger problems than someone listening to Dave in Accounting go on and on about how his boat is so expensive to maintain, and mary in marketing talk about her poodle....

Once you own my phone system network, I have far bigger problems.

Re:

[Amouth]

i'm not arguing with your assessment but in theory you can do it if you have a layer3 capable switch..

Re:

[jon3k]

Then it's not a "switch port", at least in Cisco parlance. It's a "routed port" or "layer 3 interface". The command is literally "no switchport".

Re:

[Amouth]

that depends on the cisco device - if your trying to do routing on a switch block on an nm module in a router yes but you can use PACL's on switch ports without having to treat them as routed ports

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1039754 [cisco.com]

Re:

[Iam9376]

I'm going to partially agree with the OP here.

Phones speak more than just SIP, ICMP and DHCP, at least intelligent phones do.

FYI- In many cases, particularly where external companies are implementing the system, the voice engineers don't have access to the network; we can only recommend solutions, it's not up to us to implement them.

When was the last time you deployed a 50,000 user telephony system? It's not always as simple as "following best practices", particularly when you begin integrating 3rd party so

Re:

[swalve]

But he said broadcast domain!!

Re:

[citylivin]

Apparently, there is no central configuration for the phones (hardware) and all the phones need to be locally configured. That is just what i have heard about asterisk VS ccm. Because asterisk is all orientated towards POTS line cards and not IP phones. It was designed as an analog system, with some digital tacked onto it as an after thought. Meanwhile the new cisco call manager has polished their SIP support (i have heard, we dont have it yet) so that most things that you need SCCP for have now been reimp

Re:

[Dare nMc]

Post says they were using Cisco phones, cisco phones use a tftp server to get the configs, based off of mac address. I setup 25 phones, all multi line, used the "trixbox" install of asterisk, that had the tftp server, web interface, and everything all tied together as a single install. With Trixbox, just use the web interface it does all of this for you. The only difficult part was, updating the Cisco phones to the sip image, so many of the Cisco firmwares were screwed up and wouldn't allow installing fr

Re:

[Lumpy]

"Apparently, there is no central configuration for the phones (hardware) and all the phones need to be locally configured. That is just what i have heard about asterisk VS ccm." then you have heard bad information. I can auto configure 20,000,000,000,000,000,000 phones with asterisk, not a problem at all.

Re:

[Lumpy]

Auto forwarding users call to their cellphones if they are in the office or not.

Get up and leave the building, when your cellphone can no longer be seen via BT it forwards your calls to your cellphone. returns to your desk phone when you return. nothing for you to do. it's all automatic.

And then we have the telemarketer incoming call hell... anyone can transfer a call they receive to extension 8000. it puts that caller into a virtual "person" that plays back a random audio file ever time the other side st

Re:

[DarkOx]

I am not saying Unified Communications Manager is the be all and end all of enterprise phone systems but don't make up facts. I even agree with you that Asterisk and other solutions are superior.

Still a properly deployed Communications Manager solution is NOT centralized you should either have an independent installation at each site trunking (for very large orgs) or you should have a member of the cluster at remote sites, for very small remote sites you should be running a router with CMFallback configure

Re:

[Iam9376]

Still a properly deployed Communications Manager solution is NOT centralized

Where did you learn to design enterprise telephony systems? You've got it half right.

Centralized deployment models have numerous advantages from cost to configuration, maintenance and It also reduces overall system complexity.

Best practice is a centralized deployment model with a local voice gateway connected to the PSTN per site (MGCP, H323, SIP, doesn't matter) configured for SRST (call-manager-fallback).

Simple.
Clean.
Survivable.

This is no different between installations of 10 sites or installations of 10,

Lacking Perspective

[Iam9376]

Sounds to me you've not worked on UCM recently, if it all.

Call Forward No Coverage.

LCR (from the very beginning):
1. Create a Route Group containing the gateway or trunk device for the site you are configuring LCR
2. Create a Route List containing the previously created Route Group
3. Create a Route Pattern for the LCR pointing to the Route List previously created

That's all.

Cisco's Unified Communications Manager platform is extraordinarily well built once you move past version 7.1.3 (6

Re:

[Greyfox]

You forgot to mention you work at www.asteriskporn.com...

Re:

[Iam9376]

I have a client still using first generation phones (bought new at the time) without issue. Sure, some fail over time, but hardware what doesn't?

Hang on

[Spad]

A Cisco spokesman said the networking vendor was serious about security and advised users to apply the relevant recommendations in the manual to secure their systems.
[...]
The weaknesses result from Cisco's reliance on web functions that gave users functions at the cost of easier penetration for hackers.
[...]
“The book says to shut off web services,” Wesley said

So why the hell is Cisco shipping devices with features that they themselves recommend disabling for security reasons, unless you have specific need for them, enabled by default?

Re:

[jeyk]

[...] Sysinternals software on their download site. (Which many viruses, worms and malware utilized.)

I know that sounds as if I am trolling, but I am genuinely interested. Do you have any citation for that?

Re:

[Anonymous Coward]

I think he is referring to the use of PsTools [microsoft.com]. I've personally dissected viruses which have used that set of utilities as part of their payload but this was years ago before SysInternals even belonged to Microsoft and the viruses I saw which used them were very unsophisticated. Either way, I don't see how it's relevant to Cisco having unsafe-defaults.

Re:

[wiedzmin]

I'm grateful they give the customer the chance to evaluate their own security risks and choose between security and function.

Disabling the features by default, does not take away the customer's ability to evaluate their own security risks and enable what they need. Enabling everything by default is a bad practice, it puts all but the most experienced customers in harm's way. Ever heard of a security concept called 'implicit deny'?

Re:

[Iam9376]

Out of the box nothing works. Services have to manually be activated and started.

Re:

[swalve]

Security is the customer's problem to implement how they choose. Out of the box, a thing should work.

Re:

[Iam9376]

The recommendation is to disable CDP on interfaces facing towards end user devices and neighbors you don't control, not disabling CDP entirely.

Re:

[Klync]

I don't want to defend Cisco's laziness here, but there is a sort of logic to what they do - especially given all the VAR's that end up deploying these systems: the hardware / software is shipped so that it's easiest to deploy out of the box. A phone installation can go wrong in so many different places, it helps in troubleshooting and remote management to have everything open by default, and then start locking things down once it's running. This approach has obvious flaws, but the alternative would be a ni

Re:

[fast turtle]

Actually, the reason it's so hard to determine the problem is because everything is active. If a system is in locked down status to begin with, you have an easier time figuring out the problem because you only need to work on (1) One issue at a time. Much nicer. Of course it would also help if they'd create a product where the basic functionality worked out of the box and didn't depend on so many proprietary techs.

Re:

[Iam9376]

I suspect you and the OP have no actual experience with the system, so I'll say the following:

-No engineer I know enables more services than we need. Only inexperienced engineers who don't know what service does what activates them all.
-Troubleshooting isn't as difficult as you make it to be. CUCM includes very detailed logging facilities, the trick is knowing how to read them.
-VoIP security, specifically with CUCM, in my experience is rarely implemented. It's not as big of a problem as this article makes i

Re:

[Iam9376]

some of the uses may seem trivial, but being able to add a punch-clock application to the desk of every agent at a call center can save a HUGE amount of money every year.

Precisely.

I couldn't find any mention to the specifics of the attack in the article, but if it is related to the services button, then i question how these attacks are being performed. The services button fetches a url on every press, unless I am missing something (and its quite possible I am), the only way to do anything malicious is to somehow hijack that request to a custom server informing the phone of some malicious service.

Re:

[postbigbang]

You pegged my irony meter. Now it's broken.

Hey-- Microsoft just bought Skype! You can use that instead, right?

(now ducking)

Great

[DinDaddy]

There's a phone just like the one in that pic on my desk.

Re:

[webmistressrachel]

Scary...

Our city council deploys similar IP phones from Nortel Networks - are they vulnerable, too, I wonder? Fortunately, their physical security is pretty damn good, they seem to know damn well that I'll abuse Ethernet ports if given half a chance, so finding out isn't an option for me...

Re:

[DinDaddy]

I'm not actually worried about external hacking, our corporate IT isn't totally incompetent. I am just less than pleased that my employer themselves can potentially listen to me through my phone even when I am not using it.

Working with SIP is never easy

[anthm]

I have been working on the open source softswitch FreeSWITCH http://www.freeswitch.org/ [freeswitch.org] for almost 6 years now.
During that time I have seen SIP continuously evolve to try to cover its own shortcomings which all stemmed from the simple concept of "If we base it on HTTP, we can use proxys and never have to worry about media" Of course this is not true and the amount of complexity that is put into each SIP device is much too great which is probably why Cisco prefers its own lighter "skinny" protocol. Sadly they own Sipura and Linksys and have SIP on their devices using countless hacks that make interop a nightmare. I am sure you can do many of these same attacks on any brand of phone. There are much better reasons out there to curse Cisco for being involved in VoIP. =D
 

Re:

[Bookwyrm]

Agreed. SIP is a particularly bad mess to deal with.

A quick checklist

[dachshund]

1. Does your system use software?
2. Is it connected to a network, or does it have any kind of outward-facing attack surface?
3. Is it an embedded system?
4. Is it based on Windows?
5. Is it based on another commercial OS?
6. Does it use a significant number of standard libraries?
7. Is it proprietary, or has it /not/ been subject to significant public attack/repair/analysis.
8. Does it handle any kind of sensitive data, have a microphone that could overhear things, or is it connected to a network that has other k

Re:

[Iam9376]

I agree. There is nothing new here and the reactions seen in the comments are precisely why I cannot frequent this site anymore.

Specifics on the exploits? Original source?

[corerunner]

\ I read the article and it provides no details on the exploit(s). How are we supposed to know if a system is vulnerable, let alone what configuration changes are required to harden security? The article links to the original Slashdot submission, which links to the article... which came first, and where is the original source?

Summary is misleading

[bsquizzato]

There's no details about anything in that article. Aside from the single picture of one 7975 phone showing RickRolled, it doesn't list vulnerable phone models at all. (Also strange is that the 7975 is a model that doesn't handle video calls on the phone itself, so I'm not sure how a video is playing on it). Despite that, the summary here on Slashdot tells everyone that Cisco's 7900 series of phones is vulnerable with the link given for its "Latest IP Phones". There's more models of phones that Cisco makes .

This is very old

[MobyDisk]

Cisco IP phones are not designed to be secure out of the box. They periodically connect to an unsecured FTP site to download firmware and unencrypted password text files. They use DHCP to determine the FTP site and the phone directory. The phones accept remote commands that allow you to control them: push any button, dial calls, turn on/off the speakerphone, etc. Back in 2005 I worked in an office and we had fun telneting to each other's phones and making them quack or display funny messages or other such nonsense. The articles are light on details but it sounds like nothing has changed.

Re:

[Anonymous Coward]

I had great fun in medical residency on slow days making the (completely unsecured) Cisco IP phones burp, fart, talk, scream, etc., in the hospital. Of course, this same hospital was dependent on portable communications (cordless IP phones, etc) secured with WEP. Of course, anyone with an iPod in their pocket could shut the entire thing down just by spamming control packets. At one point, I had my laptop in my call room and fired up Backtrack to sniff the network. By 9AM I'd cracked every one of their wirel

So what's the story?

[pathological liar]

VoIP systems can be compromised/abused? I intercept calls at work ("... for quality assurance and monitoring purposes ..."); if that system was compromised [asterisk.org] someone could certainly demonstrate call interception on a two-bit Asterisk/Polycom setup too.

Not necessarily all bad

[Geminii]

Could it be used against telemarketers? Please?