There was a public demonstration of how relatively easy it can be to hack a VoIP phone system back in December. The product used in the demo belonged to Cisco (News - Alert) and let’s just say the vulnerability uncovered got the company’s attention as can be seen in its recent security advisory.
Ang Cui a fifth year grad student at Columbia University Intrusion Detection System Lab, who specializes in showing the vulnerabilities of embedded systems, uncovered the problem. And, although embedded systems are typically deemed secure, Cui’s recent hacking success should make everyone in the VoIP and embedded systems communities uncomfortable, and not just Cisco.
The reason for discomfort is because by 2015 4 billion embedded system units will be shipped, requiring 14.5 billion microprocessor cores. With revenue of $2 trillion, this is an industry that covers virtually every sector in our modern world. These systems are in toys, automobiles, military hardware, communications system, medical equipment, traffic lights, safety equipment and every imaginable gadget you can think of. If the breach Cui demonstrated has your attention now, then you know why everyone is talking about it.
The demonstration was based on previous successful attempts on printer firmware updates. Once the printer was compromised in this manner it could be accessed even behind a firewall to look at the documents being printed or stored on the printer remotely. Furthermore the printer could be used to initiate offensive attacks.
This type of attack was based on a Cold War tactic used by the Soviet Union to spy on the United States. During that era the Soviets gave the US embassy in Moscow typewriters that were rigged to show what was being typed by transmitting the position of the balls on the electronic typewriters. The Gunman Project as it was called wasn’t discovered until the 1980’s, long after countless messages had been transmitted to the Soviets.
Cui called his HP-RFU (HP Remote Firmware Update) LaserJet printer vulnerability modification study, Gunman Project v2 because it highlighted the same vulnerabilities plus additional modes of attack. He said they have identified more than 90,000 unique vulnerable printers in different organizations including the government where sensitive information is being retrieved on these printers. Although the study highlighted the flaw on the HP Cui and his colleagues said it is seen in other embedded systems and it can be generalized and applied to other device types.
Just the number of printers that are vulnerable is incredible. In a single quarter in 2010 HP alone shipped 11.9 million units and when you multiply that with all the manufacturers of just one product and you further multiply it with all the products with embedded systems, the gravity of the situations starts to sink in.
His attack on the Cisco VoIP required him to insert and remove additional parts from the phone’s Ethernet port, but this was not necessary according to Cui. This exposure gave him the ability to use his smartphone to intercept what was being said on the VoIP phone while it was still ‘on-hook’. He said once one phone is breached the entire network would be vulnerable and that a remote attack could be accomplished without influencing the phone physically. Based on his results he briefed U.S. federal government agencies on the possibility that the Cisco Unified VoIP phones they are using could face serious attacks.
The affected Cisco Unified IP Phones are 7906, 7911G, 7931G, 7941G-GE, 7941G, 7942G, 7645G, 7961G-GE, 7961G, 7962G, 7965G, 7970G, 7971G-GE and 79575G.
Cisco said they don’t have a fix at this moment, but they plan on releasing an Engineering Special the week of January 21, 2013. The focus of the release will be to close any known attack vectors based on what has been stressed by the advisory.
The statement from the company further said, “The company maintains a very open relationship with the security community and we view this as vital to helping protect our customers’ networks. We can confirm that workarounds and a software patch are available to address this vulnerability, and note that successful exploitation requires physical access to the device serial port, or the combination of remote authentication privileges and non-default device settings. Cisco thanks Ang Cui and Salvatore Stolfo for allowing our team to validate the vulnerability and prepare a software patch ahead of the presentation. A formal release note for customers was issued on November 2nd (bug id: CSCuc83860) and we encourage any customers with related questions to contact the Cisco TAC.”
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida. Stay in touch with everything happening at ITEXP. Follow us on Twitter
Edited by Peter Bernstein