VoIP Phones Are Vulnerable To Eavesdropping
January 8, 2013

Researchers Identify Security Vulnerabilities In VoIP Phones

redOrbit Staff & Wire Reports - Your Universe Online

Scientists at Columbia University have discovered serious security vulnerabilities in Cisco´s VoIP phones that allow malicious code to be easily inserted, giving hackers the ability eavesdrop on private conversations from anywhere in the world.

The vulnerabilities apply not only to Cisco´s 14 Unified IP Phone models, but to potentially all VoIP phones, said the researchers, who demonstrated the breach at the Chaos Computer Conference in Hamburg last month.

"It's not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications," said Columbia Computer Science Professor Salvatore Stolfo, one of the researchers who discovered the vulnerability.

"It's relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones–they are not secure,” Stolfo said.

VoIP devices are used around the world by a wide range of individuals and networked organizations, from governments to banks to major corporations.

Stolfo and Ang Cui, a PhD candidate in Computer Science at Colombia, analyzed the phones' firmware, and identified several vulnerabilities. They became particularly concerned with embedded systems that are widely used and networked on the Internet, including VoIP phones, routers, and printers, and focused their research on developing new advanced security technology to protect these systems.

"Binary firmware analysis is commonly used to identify faulty software by the 'white hat' hackers and security scientists and researchers like our team," Stolfo said.

"We performed this analysis to demonstrate a new defense technology, called Software Symbiotes, that protects them from exploitation."

Software Symbiotes is designed to safeguard embedded systems from malicious code injection attacks into these systems, including routers and printers.

"This is a host-based defense mechanism that's a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism," Cui said.

"The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defenses."

The researchers see these Symbiotes as a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement.

"They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation," Cui said.

"And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses."

"We envision a general-purpose computing architecture consisting of two mutual defensive systems whereby a self-contained, distinct, and unique Symbiote machine is embedded in each instance of a host program," said Stolfo.

"The Symbiote can reside within any arbitrary body of software, regardless of its place within the system stack. It can be injected into an arbitrary host in many different ways, while its code can be 'randomized' by a number of well-known methods."

The Symbiote, which at runtime is required by its host to successfully execute in order for the host to operate, then monitors its host's behavior to ensure it continues to operate correctly, and, if not, it stops the host from doing harm.

Removal, or attempted removal, of the Symbiote renders the host inoperable.

"The beauty of the Symbiote is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars–systems that we all use every day,” said Cui, who plans to demonstrate his technology at a future conference.

Cisco initially released a patch to repair the vulnerabilities discovered by Stolfo and Cui, but it failed to fix the problem.

"It doesn't solve the fundamental problems we've pointed out to Cisco," said Cui.

"We don't know of any solution to solve the systemic problem with Cisco's IP Phone firmware except for the Symbiote technology or rewriting the firmware. We plan to demonstrate a Symbiote-protected Cisco IP Phone at an upcoming conference."

Cisco has since said it plans to release a new patch for the vulnerability, acknowledging that the initial patch did not fix the problem.

A Cisco spokesman said that it has its top engineers working on mitigations and a permanent patch, and that the company plans to issue a security advisory and a detailed mitigation document later this week.

Stolfo and Cui received funding for their research from the Defense Advanced Research Projects Agency (DARPA), Intelligence Advanced Research Projects Activity (IARPA) and the Department of Homeland Security (DHS).

Image 2 (below): Columbia Engineering's computer science Ph.D. candidate Ang Cui designed this device to plug into a Cisco phone and download malware, showing the vulnerabilities of the phone. Credit: Columbia Engineering