Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2007 > 3504 - Cisco Unified IP Phone Remote Eavesdropping

November 2007

3504 - Cisco Unified IP Phone Remote Eavesdropping

ID: 3504
Date: 29/11/2007
Title: 3504 - Cisco Unified IP Phone Remote Eavesdropping
Platform level affected:Hardware
Hardware components affected:Telephony
Other software: Other
Vendors affected:Cisco
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote access
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Workaround
Source: Cisco
Reliability of source: Trusted
Source URL: http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml
Abstract: Cisco PSIRT response to a technique designed to remotely eavesdrop using Cisco Unified IP Phones.

Cisco Security Response: Cisco Unified IP Phone Remote Eavesdropping

http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

Revision 1.0

For Public Release 2007 November 28 1600 UTC (GMT)

----------------------------------------------------------------------------

Cisco Response
==============

This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007 security conference by Joffery Czarny of Telindus regarding a technique to remotely eavesdrop using Cisco Unified IP Phones.

The original report is available at the following link:

http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf

We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.

This Cisco Security Response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

Additional Information
======================

Cisco confirms that an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream. This ability can be exploited to perform a remote eavesdropping attack. All Cisco IP Phones that support the Extension Mobility feature are vulnerable.

For this attack to be possible, several conditions need to be satisfied:

  * The internal web server of the IP phone must be enabled. The web server is
    enabled by default.
  * The IP phone must be configured to use the Extension Mobility feature,
    which is not enabled by default.
  * The attacker must possess or obtain valid Extension Mobility authentication
    credentials.

Extension Mobility authentication credentials are not tied to individual IP phones. Any Extension Mobility account configured on an IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack.

To obtain Extension Mobility authentication credentials, an attacker needs physical access to the network to sniff credentials. This can be accomplished by inserting a sniffing device between an IP phone and switch port.

Before eavesdropping can occur, the user who is logged into the IP phone via Extension Mobility must first be logged off of the IP phone. This can be accomplished by sending an Extension Mobility logout message to the IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server.

If exploitation is successful, any IP phone that is undergoing an eavesdropping attack will have its speaker phone status light enabled, and the phone will display an off-hook icon that indicates an active call is in progress. Internal testing by Cisco also revealed that the described attack produced static noise on the IP phone while it was under attack.

Workarounds
===========

There are workarounds to combat this attack:

  * Disable the internal web server on IP phones.
  * Disable the Extension Mobility feature on IP phones.
  * Disable the speaker phone / headset functionality on IP phones.

This attack can also be mitigated by restricting access to the internal web server of IP phones (TCP port 80) using an access control list (ACL).

For more information about Cisco-recommended best practices for securely deploying Cisco Unified IP Phones, reference this link:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008085f858.html#wp1045452

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0  | 2007-November-28  | Initial public release  |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

----------------------------------------------------------------------------
All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved.
----------------------------------------------------------------------------

Updated: Nov 28, 2007                                       Document ID: 100252

----------------------------------------------------------------------------

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

Thu, 29 Nov 2007 00:00:00 GMT
Domain affected: Technical
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |