Slashdot Mirror

← Back to Stories (view on slashdot.org)

Call Interception Demonstrated On New Cisco Phones

Posted by Soulskill on from the can-you-hear-me-now dept.

mask.of.sanity writes "Researchers have demonstrated a series of exploits that turn Cisco IP phones into listening bugs, and could allow a denial of service attack capable of silencing a call center. It allows internal staff and competitors with a little publicly-available information to hijack the phones, wiretap calls and eavesdrop on confidential meetings. The attacks work through a sequence of exploits against the latest Cisco phones enabled to run off the shelf. Most people are vulnerable, the researchers say, because they do not harden their systems in line with recommended security requirements."

90 comments

  1. Enterprise Systems by Anonymous Coward · · Score: 1

    Do we need any more evidence that 'enterprise level' is nothing more than a euphemism for 'poorly understood clusterfuck' ?

    1. Re:Enterprise Systems by fuzzyfuzzyfungus · · Score: 5, Funny

      Your ill-understood slander of Enterprise Solutions will not be tolerated.

      Any two-bit neckbeard with a sourceforge account can create a "poorly understood clusterfuck."

      However, only by leveraging the organizational synergies of a corporation committed to customer-centric excellence across multiple value centers is it possible to create a "poorly understood clusterfuck" backed by overpriced consultants, soporific slide decks, documentation that addresses the hypothetical case of a 50,000 seat installation across hundreds of multinational satellite sites; but fails to have any useful information on why some critical service leaks memory and needs to be restarted every 18 hours, a custom set of Vizio(tm) objects that allows middle managers and Certified Solution Architects to emulate understanding of the system with impressive graphical flourishes, and a mandatory "maintenance contract" that makes you eligible to pay a per-incident fee to have some poor dude in Hyderabad read a script at you.

      Freetards, they just don't understand the value of good commercial Solutions.

    2. Re:Enterprise Systems by pushing-robot · · Score: 3, Funny

      I dunno; when you go to Cisco.com and click on Enterprise, you're presented with the line:

      "Break down barriers to reach people and information wherever and whenever you need them."

      Sounds like they understand it perfectly.

      --
      How can I believe you when you tell me what I don't want to hear?
    3. Re:Enterprise Systems by Zerth · · Score: 1

      It'd be awesome if companies would just put the script they give the guys in Hyderabad on the web so I can read through it myself.

      That would help me avoid calling, as well as plan my responses when I do call to minimize the time to reach somebody who has actually used the product.

    4. Re:Enterprise Systems by Sarten-X · · Score: 3, Funny

      Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

      ...

      Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

      ...

      Shenk you far callink Eenterprice Grummar Solootions. Moy nam is "Jason". How cane I be helpink you today?

      I see you are havink a service agreement with us. Zees ees very good. I will be transferrink you now to "second-tier support". Thank you for callink us today. Goodbye.

      ...

      Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

      ...

      Entaprise Gramma Solutions. This is Bob. What can I do for ya?

      All-righty. Ye've got yerself a nice little post there. Now, that there semicolon in your third paragraph should be a comma. That's it. Now, according to this here agreement, you'll be billed $99.95 for this call. Thanks for callin'.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    5. Re:Enterprise Systems by Anonymous Coward · · Score: 0

      Enterprise level ONLY means you have a toll free number to call and a support account number to use when the shit hits the fan and mid levels can cover their asses by simply stating. "I have a ticket in with $COMPANY. They better have a good explanation when they call back". Rarely if ever are the non technical managers and bosses in on the eventual phone conference with the $COMPANY when they tell you that you are 3 versions behind, your firewall is jacked and you had some things setup wrong. Of course you can then blame those things on the $CONSULTANT that helped you with the initial setup 2 years ago. I'm sure there is an email that you forgot about where $CONSULTANT specially stated you were responsible for updates and he/she setup it up the way YOU wanted it against best practices because you needed a certain function to work a certain way to justify the cost of the project.

    6. Re:Enterprise Systems by Dersaidin · · Score: 1

      Oh, that explains how Skype was worth $8.5 billion.

    7. Re:Enterprise Systems by datapharmer · · Score: 1

      Wow, that is eerily accurate. In an IT office for a network I took over management of there are rows of filing cabinets. Among the thousands and thousands of pages of electronic manuals and config files pointlessly printed on a laser printer are some email correspondence that sound almost identical to what you wrote. Not sure why the previous guy printed all that out, he clearly didn't read or understand any of it given how the network was setup. That's ok though, he hired a consultant at some absurd rate to explain the basics of how to keep it from melting down by holding his mouth just right. Boy was that a fun mess to clean up.

      --
      Get a web developer
    8. Re:Enterprise Systems by bell.colin · · Score: 1

      "Enterprise Solutions"
      "leveraging the organizational synergies"
      "customer-centric excellence"
      "value centers"
      "consultants"
      "Vizio(tm)"
      "Certified Solution Architects"

      My marketing/buzzword BS meter just caught fire after reading this.

    9. Re:Enterprise Systems by chefmonkey · · Score: 1

      That's not tier 2 support! That's straight off the "reboot your paragraph" script they give to the first-line flunkies. From http://www.hamilton.edu/writing/writing-resources/common-writing-mistakes --

      As a strong comma, [the semicolon] can be used to provide strong separation of two independent clauses with a coordinating conjunction (normally, a comma provides this separation) or to separate a series of phrases or clauses with internal commas.

      (emphasis mine).

      The clause preceding the semicolon has a number of internal commas. The use of a semicolon serves to make it clear that the following words are not part of the list of things by which the clusterfuck is backed.

      "Proper" English grammar is a lot more nuanced (and regionally varied) than most people are willing to believe, and it's certainly more complex than the dozen or so rules you learned in elementary school.

    10. Re:Enterprise Systems by Anonymous Coward · · Score: 0

      I work for a company with "Enterprise Solutions" in the name. The rest of it is purposefully misspelled. ...

      I hate this company.

    11. Re:Enterprise Systems by Sarten-X · · Score: 1

      ...so you're saying that Enterprise Grammar Solutions is as functional as any other "enterprise" solution?

      --
      You do not have a moral or legal right to do absolutely anything you want.
    12. Re:Enterprise Systems by Bryansix · · Score: 1

      This is so true. This is a big reason why instead of using a one-time consultant, you should use a managed services provider who actually monitors, updates and maintains your network.

    13. Re:Enterprise Systems by Bryansix · · Score: 1

      Let's stop bein disingenous here. This article is about Cisco. If you purchase and maintain a Cisco SmartNet contract on a piece of equipement then you can call (toll-free) into TAC (technical assistance center) and speak directly with an engineer who probably knows more about IOS then you could dare to learn in a lifetime. This engineer will then usually be able to immedietely connect to your device and fix the problem. No other company has had better support and I do this for a living.

    14. Re:Enterprise Systems by swalve · · Score: 1

      I agree. I am very impressed with the detail and rigor that goes into the Cisco training. I haven't seen anything close to it since the old Compaq x000 series of Proliants was introduced, or the older HP Laserjets, where the manuals were delightfully Apple II-like. Imagine, teaching people EVERYTHING about a system.

    15. Re:Enterprise Systems by Anonymous Coward · · Score: 0

      Three little changes:

      c/50,000/60,000/
      c/hundreds/thousands/
      c/Hyderabad/Chennai/

      and I'd swear you work for my company^H^H^H^H^H^H^Henterprise!

    16. Re:Enterprise Systems by Anonymous Coward · · Score: 0

      Bitter ShoreTel employee is bitter.

    17. Re:Enterprise Systems by Anonymous Coward · · Score: 0

      ..., as well as plan my responses when I do call to minimize the time to reach somebody who has actually used the product.

      As one of the 'poor dudes in Hyderabad'....I agree.
      They are basically using people as TTS engines, rather than as knowledgeable professionals. This is, in part, due to the view that standardization is necessary in support interactions. Solution? Give everyone the same script!
      The other reason is that most companies can't be bothered with giving employees hands-on experience with the products they support (with the notable exception of Dell). Why? Because with the script that was created for standardization, actual knowledge is purely optional!

      And that is why the "Indian Call Center" experience is as bad as it is.

  2. As Elton John says by Anonymous Coward · · Score: 0

    hold me closer frosty poster

    1. Re:As Elton John says by clang_jangle · · Score: 1

      Hehe...

      Hold me closer frosty poster
      count the exploits zero day
      sniff my TCP/IP
      you had a busy day today

      --
      Caveat Utilitor
  3. Most people? by Anonymous Coward · · Score: 0

    Most people using Cisco phones are vulnerable

    FTFY!

    1. Re:Most people? by KingRatMass · · Score: 1
      And it's all the fault of Apple, Microsoft AND George Bush!

      FTFY!

  4. Security is #1 by BoRegardless · · Score: 3, Insightful

    There have been so many security holes in all sorts of hardware and for so long, that I have to think that there is a basic failure of top management to understand and grasp the issues involved in the trust people place in their products.

    Having top managers make decisions on whether a program gets top flight security implemented from day 1 of a program's inception would be a big mistake.

    Security today ought to be #1. Ask Sony for instance, or any one of the other dozen recent companies who have failed basic updates to their servers even after the lack of updates was published publicly online.

    Sheesh. What does it take to get top management "on board".

    1. Re:Security is #1 by VortexCortex · · Score: 1

      The cost of doing business is rarely the price of doing business.

    2. Re:Security is #1 by BoRegardless · · Score: 2

      "The cost of doing business is rarely the price of doing business."

      Very good point. Warren Buffett noted "Price is what you pay; Value is what you get"

      For managers who slack on security, "Security Cost is what you pinch on; crisis is what you get"

    3. Re:Security is #1 by speculatrix · · Score: 1

      For yoda: is security cost what you pinch on is; is crisis what you get!

    4. Re:Security is #1 by mcmonkey · · Score: 1

      In Soviet Russia: security cost pinches you!

    5. Re:Security is #1 by swalve · · Score: 1

      This is what you get when you put "operating systems" on things like toasters, telephones and gas pedals, rather than purpose built firmware. We will figure it out eventually, I hope.

  5. WHEW! by Lumpy · · Score: 2

    Glad I only run cisco phones that are outdated and run a SIP firmware.

    Cisco makes great hardware, but their phone system software (and pricing) utterly sucks. I am doing things with asterisk here at the office that makes the cisco rep's jaw drop.

    --
    Do not look at laser with remaining good eye.
    1. Re:WHEW! by Anonymous Coward · · Score: 0

      Awesome.

      Now do it at a 20K phone deployment.

    2. Re:WHEW! by Lumpy · · Score: 1

      Not a problem. You never have done a asterisk deployment before have you.

      --
      Do not look at laser with remaining good eye.
    3. Re:WHEW! by Anonymous Coward · · Score: 0

      Ok, so what specifically are you doing? I play with Cisco Communications Manager for a living right now, and while it does SOME great stuff, you gotta pay like crazy for it. Unfortunately, there are a lot of things they only get 90% right.

    4. Re:WHEW! by Greyfox · · Score: 2

      You forgot to mention you work at www.asteriskporn.com...

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    5. Re:WHEW! by Lumpy · · Score: 2

      Auto forwarding users call to their cellphones if they are in the office or not.

      Get up and leave the building, when your cellphone can no longer be seen via BT it forwards your calls to your cellphone. returns to your desk phone when you return. nothing for you to do. it's all automatic.

      And then we have the telemarketer incoming call hell... anyone can transfer a call they receive to extension 8000. it puts that caller into a virtual "person" that plays back a random audio file ever time the other side stops talking based on silence detection... "yeah", "tell me more", what other features?", "ok", "yes", "just a minute".... also it blacklists that number to never ring a phone but go directly to the general voicemail box.

      Also least cost routing is a LOT easier. I route calls to land line outgoing if we have an office at that location, it goes across the T1 to that office and out their POP. we dropped long distance costs by 80% over the past 6 years we have done this. Plus I can run a 200 phone office location on a single low end server that costs LESS than the licensing cost for a cisco 50 phone deployment. Multiple stand alone system that inter-tie work Fantastic. plus net outages don't make a satellite office useless unlike a centralized Cisco setup.

      --
      Do not look at laser with remaining good eye.
    6. Re:WHEW! by Anonymous Coward · · Score: 0

      My thoughts exactly. whether it be 1000 phones or one, it's still the same procedure.

      and am I the only one here that's bothered by the fact that these companies deploying mass quantities of phones are doing so AGAINST best practices and getting burned? honestly, if you're going to deploy a large number of anything, you better damn well know how to turn off EVERY feature except what you need.

      On top of it, one could simply firewall at the switch port to only allow sip+dhcp+icmp from the phones. (unless for some crazy reason they fail at vlan'ing and honestly have a single broadcast domain containing hundreds of devices)

      but then again, I have worked with countless 1000+ person companies that had deployed a core of 22 Ovislink 48 port layer two's. so I'm never surprised these days.

    7. Re:WHEW! by speculatrix · · Score: 1

      you could probably do some dns and arp poisoning so that when phones boot they will use your tftp server to acquire their configurations and not the company one, so even if the phones' configs are apparently secure, you have to protect your lan.

    8. Re:WHEW! by Anonymous Coward · · Score: 0

      My thoughts exactly. whether it be 1000 phones or one, it's still the same procedure.

      and am I the only one here that's bothered by the fact that these companies deploying mass quantities of phones are doing so AGAINST best practices and getting burned? honestly, if you're going to deploy a large number of anything, you better damn well know how to turn off EVERY feature except what you need.

      On top of it, one could simply firewall at the switch port to only allow sip+dhcp+icmp from the phones. (unless for some crazy reason they fail at vlan'ing and honestly have a single broadcast domain containing hundreds of devices)

      but then again, I have worked with countless 1000+ person companies that had deployed a core of 22 Ovislink 48 port layer two's. so I'm never surprised these days.

      You know how I know you're not a network person?

    9. Re:WHEW! by DarkOx · · Score: 1

      I am not saying Unified Communications Manager is the be all and end all of enterprise phone systems but don't make up facts. I even agree with you that Asterisk and other solutions are superior.

      Still a properly deployed Communications Manager solution is NOT centralized you should either have an independent installation at each site trunking (for very large orgs) or you should have a member of the cluster at remote sites, for very small remote sites you should be running a router with CMFallback configured. So survivability really should not be a problem

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    10. Re:WHEW! by Anonymous Coward · · Score: 0

      i tested ciso phones historically and they didn't last under heavy useage.

    11. Re:WHEW! by citylivin · · Score: 2

      Apparently, there is no central configuration for the phones (hardware) and all the phones need to be locally configured. That is just what i have heard about asterisk VS ccm. Because asterisk is all orientated towards POTS line cards and not IP phones. It was designed as an analog system, with some digital tacked onto it as an after thought. Meanwhile the new cisco call manager has polished their SIP support (i have heard, we dont have it yet) so that most things that you need SCCP for have now been reimplemented in SIP on ccm.

      For instance, how would you centrally assign multiple lines to a phone? hand edit every xml file on the tftp server? your gonna do that for 2000 phones?

      Of course im not an asterisk expert, but I am a collector of anecdotes. Cisco Call manager has been pretty rock solid for us. I cant even remember any major issue in the last 5 years.

      --
      As a potential lottery winner, I totally support tax cuts for the wealthy
    12. Re:WHEW! by Amouth · · Score: 1

      i'm not arguing with your assessment but in theory you can do it if you have a layer3 capable switch..

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    13. Re:WHEW! by Anonymous Coward · · Score: 0

      And just how's that?

      don't tell me you leave ports open blind to any traffic that want's to traverse them?

      step one in any secure system: disable everything.
      step two: only enable what you know is safe.

      honestly, add all your phone ports in question to a vlan, and mark the vlan
      int vlanx
        ip access-group xxx in
      With:
      access-list xxx permit tcp host [host ip] host [sip server] eq [portnum]
      access-list xxx deny ip any any

      In the case of several customers I've set this up to dynamically remove DHCP from the ports after boot via SNMP. the whole process is fully automatic and requires manual intervention only when new phones are added or moved.

    14. Re:WHEW! by Anonymous Coward · · Score: 0

      i tested ciso phones historically

      You mean like back in the Middle Ages?

    15. Re:WHEW! by Iam9376 · · Score: 1

      I have a client still using first generation phones (bought new at the time) without issue. Sure, some fail over time, but hardware what doesn't?

    16. Re:WHEW! by Dare+nMc · · Score: 1

      Post says they were using Cisco phones, cisco phones use a tftp server to get the configs, based off of mac address. I setup 25 phones, all multi line, used the "trixbox" install of asterisk, that had the tftp server, web interface, and everything all tied together as a single install. With Trixbox, just use the web interface it does all of this for you. The only difficult part was, updating the Cisco phones to the sip image, so many of the Cisco firmwares were screwed up and wouldn't allow installing from certain versions to others, so I would have to do several firmware updates... but only to get a new phone to the SIP firmware.

    17. Re:WHEW! by swalve · · Score: 1

      But he said broadcast domain!!

    18. Re:WHEW! by Iam9376 · · Score: 1

      Still a properly deployed Communications Manager solution is NOT centralized

      Where did you learn to design enterprise telephony systems? You've got it half right.

      Centralized deployment models have numerous advantages from cost to configuration, maintenance and It also reduces overall system complexity.

      Best practice is a centralized deployment model with a local voice gateway connected to the PSTN per site (MGCP, H323, SIP, doesn't matter) configured for SRST (call-manager-fallback).

      Simple.
      Clean.
      Survivable.

      This is no different between installations of 10 sites or installations of 10,000 and is why it's so damn effective.

      Decentralized deployments need to have strict justification, otherwise you're wasting your time and energy.

    19. Re:WHEW! by Iam9376 · · Score: 1

      I'm going to partially agree with the OP here.

      Phones speak more than just SIP, ICMP and DHCP, at least intelligent phones do.

      FYI- In many cases, particularly where external companies are implementing the system, the voice engineers don't have access to the network; we can only recommend solutions, it's not up to us to implement them.

      When was the last time you deployed a 50,000 user telephony system? It's not always as simple as "following best practices", particularly when you begin integrating 3rd party solution, ranging from voice mail to ivr to any of the other numerous technologies you can add on.

      Anything sufficiently complex enough will have problems somewhere along the line, that's the nature of things created by beings of our limited mental capacity.

    20. Re:WHEW! by Anonymous Coward · · Score: 0

      Firewall the switchport? Please stop talking. You're making my brain hurt.

    21. Re:WHEW! by jon3k · · Score: 1

      Then it's not a "switch port", at least in Cisco parlance. It's a "routed port" or "layer 3 interface". The command is literally "no switchport".

    22. Re:WHEW! by Lumpy · · Score: 1

      If you can do that then I have far bigger problems than someone listening to Dave in Accounting go on and on about how his boat is so expensive to maintain, and mary in marketing talk about her poodle....

      Once you own my phone system network, I have far bigger problems.

      --
      Do not look at laser with remaining good eye.
    23. Re:WHEW! by Lumpy · · Score: 1

      "Apparently, there is no central configuration for the phones (hardware) and all the phones need to be locally configured. That is just what i have heard about asterisk VS ccm." then you have heard bad information. I can auto configure 20,000,000,000,000,000,000 phones with asterisk, not a problem at all.

      --
      Do not look at laser with remaining good eye.
    24. Re:WHEW! by Amouth · · Score: 1

      that depends on the cisco device - if your trying to do routing on a switch block on an nm module in a router yes but you can use PACL's on switch ports without having to treat them as routed ports

      http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1039754

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  6. Once upon a time... by Anonymous Coward · · Score: 1

    My naive inexperienced self presume 'Enterprise' to mean rock-solid, if not crufty software like Solaris, AIX, etc. Not shiny by any stretch of the imagination, but solid.

    Now I know the truth, that by and large 'Enterprise' software is entirely convoluted fragile pieces of crap that mandates large amounts of work to maintain. They do not win because of quality, they win based on smoozing salespeople and executives and/or architects intentionally sabotaging things for the sake of job security.

    1. Re:Once upon a time... by swalve · · Score: 1

      "Enterprise" means systems that are scalable, expensive, and have better warranties.

  7. Hang on by Spad · · Score: 3, Insightful

    A Cisco spokesman said the networking vendor was serious about security and advised users to apply the relevant recommendations in the manual to secure their systems.
    [...]
    The weaknesses result from Cisco's reliance on web functions that gave users functions at the cost of easier penetration for hackers.
    [...]
    “The book says to shut off web services,” Wesley said

    So why the hell is Cisco shipping devices with features that they themselves recommend disabling for security reasons, unless you have specific need for them, enabled by default?

    1. Re:Hang on by Anonymous Coward · · Score: 0

      This is nothing new, Spad.

      Cisco ships all IOS devices with CDP (cisco discovery protocol) which allow cisco devices to detect neighboring cisco devices and give you information about them.

      Cisco has for years recommended this be disabled for security reasons but they understand that it's a valuable tool that people want. I'm grateful they give the customer the chance to evaluate their own security risks and choose between security and function.

      If you want to split hairs, you could ask the same question to Microsoft for shipping windows with Ping built in, or providing Sysinternals software on their download site. (Which many viruses, worms and malware utilized.)

    2. Re:Hang on by Klync · · Score: 1

      I don't want to defend Cisco's laziness here, but there is a sort of logic to what they do - especially given all the VAR's that end up deploying these systems: the hardware / software is shipped so that it's easiest to deploy out of the box. A phone installation can go wrong in so many different places, it helps in troubleshooting and remote management to have everything open by default, and then start locking things down once it's running. This approach has obvious flaws, but the alternative would be a nightmare to deploy.

      Given this situation, I think customers and VAR's need to be more conscious about security. Maybe Cisco could audit their VAR's to see how good they are at implementing the lock-down checklist. Or maybe they could provide such a checklist directly to the end customer.

      --

      ----
      Not to be confused with Col.
    3. Re:Hang on by Anonymous Coward · · Score: 0

      because people DO like to use those features.

      this has been mentioned before, the feature in question is the "services button" which Cisco feels leaving enabled will get managers to ask IT people about what kind of services they can add to the phones. (presuming they hadn't done so prior to the new phone system purchase)

      some of the uses may seem trivial, but being able to add a punch-clock application to the desk of every agent at a call center can save a HUGE amount of money every year. (and the boss likes the weather app, before deciding to go golfing. :P)

    4. Re:Hang on by postbigbang · · Score: 1

      You pegged my irony meter. Now it's broken.

      Hey-- Microsoft just bought Skype! You can use that instead, right?

      (now ducking)

      --
      ---- Teach Peace. It's Cheaper Than War.
    5. Re:Hang on by jeyk · · Score: 1

      [...] Sysinternals software on their download site. (Which many viruses, worms and malware utilized.)

      I know that sounds as if I am trolling, but I am genuinely interested. Do you have any citation for that?

    6. Re:Hang on by fast+turtle · · Score: 2

      Actually, the reason it's so hard to determine the problem is because everything is active. If a system is in locked down status to begin with, you have an easier time figuring out the problem because you only need to work on (1) One issue at a time. Much nicer. Of course it would also help if they'd create a product where the basic functionality worked out of the box and didn't depend on so many proprietary techs.

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    7. Re:Hang on by Anonymous Coward · · Score: 0

      Cisco DOES ship with this off. Current firmware ships with webAccess set to false, which has been the behavior for the last year. This only effects old firmware 9.x.

      While we're at it, I suppose we can raise a stink about year old MS & Linux exploits, too, that may be present on on install CD I have lying around from last year? Surely there are a bunch of those?

    8. Re:Hang on by Anonymous Coward · · Score: 1

      I think he is referring to the use of PsTools. I've personally dissected viruses which have used that set of utilities as part of their payload but this was years ago before SysInternals even belonged to Microsoft and the viruses I saw which used them were very unsophisticated. Either way, I don't see how it's relevant to Cisco having unsafe-defaults.

    9. Re:Hang on by wiedzmin · · Score: 2

      I'm grateful they give the customer the chance to evaluate their own security risks and choose between security and function.

      Disabling the features by default, does not take away the customer's ability to evaluate their own security risks and enable what they need. Enabling everything by default is a bad practice, it puts all but the most experienced customers in harm's way. Ever heard of a security concept called 'implicit deny'?

      --
      Bow before me, for I am root.
    10. Re:Hang on by Iam9376 · · Score: 1

      The recommendation is to disable CDP on interfaces facing towards end user devices and neighbors you don't control, not disabling CDP entirely.

    11. Re:Hang on by Iam9376 · · Score: 1

      Out of the box nothing works. Services have to manually be activated and started.

    12. Re:Hang on by Iam9376 · · Score: 1

      I suspect you and the OP have no actual experience with the system, so I'll say the following:

      -No engineer I know enables more services than we need. Only inexperienced engineers who don't know what service does what activates them all.
      -Troubleshooting isn't as difficult as you make it to be. CUCM includes very detailed logging facilities, the trick is knowing how to read them.
      -VoIP security, specifically with CUCM, in my experience is rarely implemented. It's not as big of a problem as this article makes it seem. Furthermore, if the malicious person is on your network, you've got a general security problem. If the malicious person is physically connected to your network, you have other problems to worry about.
      -Not all third party applications support SRTP and will break if implemented.
      -Overall platform stability and security comes down to who deployed it.

      As an design/implementation engineer, I can say we only harden systems when there is a specific requirement for it or by request. It is not general practice, nor should it be.

      I suspect that last sentence will bring down the herd so I shall clarify:
      Implementing security has a lot of implications, not only from a technology standpoint but from a political/office politics standpoint as well. Careful consideration is needed before deploying.

    13. Re:Hang on by Iam9376 · · Score: 1

      some of the uses may seem trivial, but being able to add a punch-clock application to the desk of every agent at a call center can save a HUGE amount of money every year.

      Precisely.

      I couldn't find any mention to the specifics of the attack in the article, but if it is related to the services button, then i question how these attacks are being performed. The services button fetches a url on every press, unless I am missing something (and its quite possible I am), the only way to do anything malicious is to somehow hijack that request to a custom server informing the phone of some malicious service.

    14. Re:Hang on by swalve · · Score: 1

      Security is the customer's problem to implement how they choose. Out of the box, a thing should work.

  8. Great by DinDaddy · · Score: 1

    There's a phone just like the one in that pic on my desk.

    1. Re:Great by webmistressrachel · · Score: 1

      Scary...

      Our city council deploys similar IP phones from Nortel Networks - are they vulnerable, too, I wonder? Fortunately, their physical security is pretty damn good, they seem to know damn well that I'll abuse Ethernet ports if given half a chance, so finding out isn't an option for me...

      --
      This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
    2. Re:Great by DinDaddy · · Score: 2

      I'm not actually worried about external hacking, our corporate IT isn't totally incompetent. I am just less than pleased that my employer themselves can potentially listen to me through my phone even when I am not using it.

  9. Working with SIP is never easy by anthm · · Score: 3, Interesting

    I have been working on the open source softswitch FreeSWITCH http://www.freeswitch.org/ for almost 6 years now.
    During that time I have seen SIP continuously evolve to try to cover its own shortcomings which all stemmed from the simple concept of "If we base it on HTTP, we can use proxys and never have to worry about media" Of course this is not true and the amount of complexity that is put into each SIP device is much too great which is probably why Cisco prefers its own lighter "skinny" protocol. Sadly they own Sipura and Linksys and have SIP on their devices using countless hacks that make interop a nightmare. I am sure you can do many of these same attacks on any brand of phone. There are much better reasons out there to curse Cisco for being involved in VoIP. =D
     

    1. Re:Working with SIP is never easy by Bookwyrm · · Score: 1

      Agreed. SIP is a particularly bad mess to deal with.

  10. A quick checklist by dachshund · · Score: 1

    1. Does your system use software?
    2. Is it connected to a network, or does it have any kind of outward-facing attack surface?
    3. Is it an embedded system?
    4. Is it based on Windows?
    5. Is it based on another commercial OS?
    6. Does it use a significant number of standard libraries?
    7. Is it proprietary, or has it /not/ been subject to significant public attack/repair/analysis.
    8. Does it handle any kind of sensitive data, have a microphone that could overhear things, or is it connected to a network that has other kinds of sensitive data on it.

    If you answered 'yes' to question 8 and any one of the previous questions, then your system has a critical vulnerability that could lead to a total compromise. Finding that vulnerability will require varying degrees of effort, from 'almost none' to 'a year of with a fuzzing framework and IDA'.

    If you answered yes to 3, 4 and 5, possibly 6, definitely 7, then it'll be closer to the easier side than the hard side.

    I work in the security industry, so I perhaps I'm just a bit jaded. But I have to say that the novelty of these stories has worn off for me --- we could probably save everyone a lot of trouble by setting up a cron job that generates 'random system of the day has vulnerability' new stories.

    (And yes, I realize that it's important to keep vendors on their toes, etc. But this will be handled like every other story: a few holes will be patched, the vendor will brush off the concerns, and it'll be business as usual.)

    1. Re:A quick checklist by Iam9376 · · Score: 1

      I agree. There is nothing new here and the reactions seen in the comments are precisely why I cannot frequent this site anymore.

  11. Misleading... by Anonymous Coward · · Score: 0

    The article says that this exploits the web access on the IP phones. Also, there are several references to it having to be 'out-of-the-box.'

    IP phones registered to CUCM automatically upgrade the firmware to what matches the CUCM device pack. All recent firmware releases (9.x) have webAccess disabled by default, and that firmware is used for recent CUCM 7.1 and 8.0 releases. And upgrading firmware on a cluster in bulk is a pretty quick/easy task.

    On top of that, the attacker would need to be in the LAN (assuming the presence of a FW at the border of the network) and on a network route-able to the voice network.

    I'm not saying it isn't a concern, but this is less of an issue than the article makes it seem.

  12. Specifics on the exploits? Original source? by corerunner · · Score: 1

    \ I read the article and it provides no details on the exploit(s). How are we supposed to know if a system is vulnerable, let alone what configuration changes are required to harden security? The article links to the original Slashdot submission, which links to the article... which came first, and where is the original source?

    --
    "Don't hate the media, become the media." -Jello Biafra
  13. Summary is misleading by bsquizzato · · Score: 1

    There's no details about anything in that article. Aside from the single picture of one 7975 phone showing RickRolled, it doesn't list vulnerable phone models at all. (Also strange is that the 7975 is a model that doesn't handle video calls on the phone itself, so I'm not sure how a video is playing on it). Despite that, the summary here on Slashdot tells everyone that Cisco's 7900 series of phones is vulnerable with the link given for its "Latest IP Phones". There's more models of phones that Cisco makes ... 3900 series, 500 series, 8900 series, 9900 series, 6900 series to name a few more (http://www.cisco.com/en/US/products/sw/voicesw/products.html#N4FD791). Of those, the 7900 is not the newest.

    At least pull your facts from the article, please.

  14. "recommended security requirements." by Anonymous Coward · · Score: 0

    Are these recommendations? or requirements?

  15. This is very old by MobyDisk · · Score: 3, Interesting

    Cisco IP phones are not designed to be secure out of the box. They periodically connect to an unsecured FTP site to download firmware and unencrypted password text files. They use DHCP to determine the FTP site and the phone directory. The phones accept remote commands that allow you to control them: push any button, dial calls, turn on/off the speakerphone, etc. Back in 2005 I worked in an office and we had fun telneting to each other's phones and making them quack or display funny messages or other such nonsense. The articles are light on details but it sounds like nothing has changed.

    1. Re:This is very old by Anonymous Coward · · Score: 1

      I had great fun in medical residency on slow days making the (completely unsecured) Cisco IP phones burp, fart, talk, scream, etc., in the hospital. Of course, this same hospital was dependent on portable communications (cordless IP phones, etc) secured with WEP. Of course, anyone with an iPod in their pocket could shut the entire thing down just by spamming control packets. At one point, I had my laptop in my call room and fired up Backtrack to sniff the network. By 9AM I'd cracked every one of their wireless networks and was sniffing the packets.

      Of course, they also used a Vocera system (also using 802.11), the administrative interface of which was secured...by an IP address. That's right: They didn't change the password, and you could go through the diagnostics on one of the Voceras, get the IP for the server, and plug it right into a web browser.

      Geniuses, they were.

      Posted as an AC for obvious reasons.

  16. So what's the story? by pathological+liar · · Score: 1

    VoIP systems can be compromised/abused? I intercept calls at work ("... for quality assurance and monitoring purposes ..."); if that system was compromised someone could certainly demonstrate call interception on a two-bit Asterisk/Polycom setup too.

  17. What is the attack?? by Anonymous Coward · · Score: 0

    I read TFA and there is no mention of what the attack is. As some who actually works in this field as a Cisco VAR for Telephony we have all known for a long time how to make a bug on a line, if you are the sys admin of the Communication Manager server. However, that is more like core functionality of the system.

    Imagine you need to old school push button to talk to your secretary (i said old school). You could do this on any phone that has an unused line by setting it up with No Label and and Auto Answer true. I do not see how this is going to be done remotely unless they know the admin password. That is usually only stored in the DC on a post note on that server, so it is hard to guess.

  18. bug or feature. by Anonymous Coward · · Score: 0

    Here is the question though. is this actually a bug, or a feature for other groups of people?

  19. Lacking Perspective by Iam9376 · · Score: 1

    Sounds to me you've not worked on UCM recently, if it all.

    Call Forward No Coverage.

    LCR (from the very beginning):
      1. Create a Route Group containing the gateway or trunk device for the site you are configuring LCR
      2. Create a Route List containing the previously created Route Group
      3. Create a Route Pattern for the LCR pointing to the Route List previously created

    That's all.

    Cisco's Unified Communications Manager platform is extraordinarily well built once you move past version 7.1.3 (6 was a solid, but 7 introduced logical routing and other important features). Yes it is expensive. But it is robust, stable and the pool of knowledgable engineers can't be denied; if you don't understand the immediate value of that I've wasted your time and mine. Lastly, before I end this rant, one word: support. Who do you call for support at 10pm for your Asterix box? Sure, some companies provide support, but not on the same level Cisco can provide.

    plus net outages don't make a satellite office useless unlike a centralized Cisco setup.

    I am now certain you either have no experience with Cisco's UC platform or simply live with your head in the sand. The technology is called Survivable Remote Site Telephony (SRST).

    Comparing Asterix to Cisco's UCM is disingenuous as they have entirely different markets with different requirements.

    The simple fact of the matter is you don't deploy Asterix if you can afford UCM (if you can afford it, you're likely large enough to benefit from it).

    So, to recap:
    -Enterprises need support. They need it yesterday when problems arise.
    -Knowledgable engineers to support and maintain the solution.
    -UCM was built to scale. I'm talking 300 sites, 150,000 end points, 12 call processing agents (termed Super Cluster when you have more than 8), numerous MoH/TFTP servers and the like. This is easily possible with CUCM, and it's extremely stable.
    -The platform is easily extended to Presence, WebEx, Contact Centers, Attendant Consoles, and numerous 3rd party applications.
    -Cisco has another advantage which no other company in the world can claim: They own the network. That means a fully integrated solution, from the switch to the handset, and the numerous benefits that entails.

    An aside, of the clients I have personally migrated from Asterix (of which there are 4), none had more than 5,000 end points.

    Please acquire some perspective before you go around baselessly besmirch the big bad corporation and their products, and please don't try to make an argument about the feature set differences. That's never the deciding factor with these two products.

    P.S: the virtual person you describe is available as a 3rd party solution.

    Well, that turned out longer than I intended; apologies, as I could keep going on and on about this subject.

  20. Not the first time by Anonymous Coward · · Score: 0

    I discovered a similar weakness that could bring down the call center with a few lines of VXML code. It crashes the router. I discovered it by accident while programming an IVR app. I reported it to no less than 3 TAC engineers and 2 TAC managers but they said that since my code was in development and not production that they wouldn't even start a ticket. Its not a bug if it is not in production they told me.

  21. Not necessarily all bad by Geminii · · Score: 1

    Could it be used against telemarketers? Please?