Researchers Convert Phones Into Secret Listening Devices

CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"

AND THIS IS NEW ??

This is not new !!

Re: In other words

A root privileges exploit provided him with root privileges. All our base are belong to cell phones + sudo.

why

Because he's BatMan!

Person Of Interest

[evilsofa]

Don't worry, Harold and John will stop listening when you get hot and heavy with your date.

Physical access?

[cloudmaster]

As part of the demonstration, Cui inserted and removed a small external circuit board from the phone's Ethernet port

Seems like it'd be easier to just slap a traditional bug under the filing cabinet if you're going to need physical access anyway. And maybe leave behind a hardware keylogger while you're at it. Possibly also an annoyatron. :)

Re:Physical access?

[hidden]

I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.

Re:Physical access?

[net28573]

Concerning the likelihood as to whether or not it would matter to anyone personally or allow the culprit to be identified: Most hardware keyloggers leave no personally identifiable information aside from scannable memory partitions however, in order to access those partitions you need to know a key combo. Without the key combo...you might as well have nothing, you also have to be aware that it is a keylogger in the first place before anything else. Who honestly checks their usb/ps2 ports more than once a week every week for the occasional tinkering?

Re:Physical access?

[hawguy]

I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.

Besides, when you use the phone as your bug, you don't need to worry about a power source. Gaining entry to an office as a part of the janitorial company seems like a trivial exercise for someone determined to steal corporate secrets.

Of course, the drawback is that this would be trivial to detect with a simple IDS system: "Hey, why does the conference room phone keep sending data to a Verizon Wireless IP address?". While a traditional bug would require an RF sweep to find it - and if it saves up conversations and sends them out in a short burst, it can be nearly impossible to find without constant surveillance.

Re:Physical access?

[khasim]

While a traditional bug would require an RF sweep to find it - and if it saves up conversations and sends them out in a short burst, it can be nearly impossible to find without constant surveillance.

No reason that could not be done in this situation as well.

The hacked phone sends the communications to a hacked workstation on the same LAN segment. They're stored until later.

Then they're sent out over the next day or so with the regular traffic disguised as an encrypted HTTPS stream.

Re:Physical access?

[maxwell+demon]

A cell phone is rarely tied to a room (like the conference room). Indeed, if the malware decides to send only at night, there's a good chance that the phone is lying somewhere near the bed of the employee, quite far from any corporate infrastructure which might be used to detect the transmission.

Re:Physical access?

[TheRaven64]

I saw the exploit demonstrated about a month ago (when it was still not yet public, but after Cisco had been told about it). It doesn't require physical access, but it does require you to be able to run something on the local network. (From slightly fuzzy memory:) The phones have some hard-coded settings which tell them about the correct server to use for getting the configuration data. They fetch this on every boot. Tripping a power circuit can cause the phones to reboot (I think they do every few days anyway, to get updates), and once you've done that then you've can use that phone to exploit the others. Getting root is simple, because the OS has a number of system calls that don't properly validate their arguments. Once you've done that, it's entirely a software bug, and it's in a system that is not designed for sysadmins to run code on, so your IDS probably won't catch it.

That said, in a sensible deployment, you should have the SIP phones on a separate VLAN and only allow them to send TFTP packets to the authorised boot server. In this configuration, the first step of the exploit won't work unless you previously pwn the boot server, the switch (and, let's face it, they probably run IOS, so it's not that hard...), or have physical access.

By the way, this is the same guy who previously discovered an exploit for a load of HP printers, allowing you to do things like have them email copies of any documents that are printed on them to some external site. He had quite a cute demo, which involved using a previously-pwned printer to hijack the phone network, so it's important to remember to have the phones and the printers on separate networks. And not to allow printers to connect to the outside world...

Re:Physical access?

There are cisco cell phones? I thought this was a nice attack on corporate VoIP infrastructure.

"When you're finished, ...

... just enter your name."

Preach it

[symbolset]

Your cell phone is a tracking device. It always has been and always will be. That it's also useful it how you're induced to carry a tracking device with you every where you go.

Re:Preach it

[maxwell+demon]

But is normally is not a listening device.

Now that exploiting a device with a microphone can turn it into a listening device isn't exactly new either (I remember having heard the same about ISDN phones quite some time ago). However that doesn't change the fact that there's still a huge gap between tracking and listening.

Re:Preach it

[symbolset]

Activating phones to eavesdrop predates cellular phones by several decades. By default rotary dial phones shared with the central office any sound within range. It was assumed that if you hadn't called a number the device was dead, but that was not so.

Re:Preach it

[maxwell+demon]

The rotary phones I knew mechanically disconnected the line when the cradle was pressed. Of course if you had removed the receiver from the cradle and still thought you were not connected anywhere just because you had not dialled a number, you were stupid. You just would have had to listen to it to know that it was connected to somewhere. Note that unpressing the cradle was not possible remotely. Of course someone might have physically modified the phone, but that's on the same level as installing a bug.

Also note that the ISDN phones I was speaking of weren't cell phones either. I don't think there's a wireless version of ISDN. They had not been rotary phones, though.

Re:Preach it

[symbolset]

I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.

Re:Preach it

Your cell phone is a tracking device. It always has been and always will be.

This story is not about cell phones. It is not and never will be. It is about SIP phones which are connected to a network, and in the case of this story where the attacker gains physical access to the device.

But I guess a 6 digit UID gets you ranked +2 even when you're trolling off-topic and mangling the English language.

Re:Preach it

But is normally is not a listening device.

Now that exploiting a device with a microphone can turn it into a listening device isn't exactly new either (I remember having heard the same about ISDN phones quite some time ago). However that doesn't change the fact that there's still a huge gap between tracking and listening.

Oh, how naive.

Any microphone in a room is a listening device for someone.

http://news.cnet.com/2100-1029-6140191.html

Re:Preach it

[symbolset]

I get +2 automatically because I have high Karma and I'm a subscriber. You get +1 for each of those. You could get the subscriber bonus for about $1/month. The high karma thing you have to work at. Karma is easier to get and lose though when all of your posts are +1 because you're a subscriber.

I could discount these in my settings, and I used to. Most subscribers with high Karma do, as they consider posting at 3 "shouting". If my Karma falls back to normal, I probably will do that. Once upon a time I had such bad Karma I was posting at -1. But I recovered.

I would still post just at 1, but the retarded sockpuppets and idiots do need shouting down with confidence. The price I pay for this is that I almost never get mod points.

Re:Preach it

[psmears]

I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.

I have done so, and what you say makes no sense. The old carbon microphones require a current flowing through them in order to produce any signal, and that current draw is what signals to the CO that the receiver is off-hook. Therefore the microphone has to be disconnected from the line when the phone is on-hook (or else the CO would see the phone as permanently off-hook) and that is indeed the case in actual phones.

Re:Preach it

[Hank+the+Lion]

I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.

OK, here is the schematic of the most widely used mechanical telephone in The Netherlands: the T65.
When the telephone is on hook ("hoorn"), only the ringer (bel) is connected to the line.
I really cannot think of another arrangement: the ringer voltage is high (100V?) so you don't want that appearing over your mic or speaker.
Please share with us the schematic of the phones you disassembled, or are you really a troll?

Re:Preach it

[symbolset]

Do you know the difference between a schematic and a device?

Re:Preach it

[leuk_he]

So if the ringer was ringing and you pick up the phone there might leak some of the 90 V signal into the microphone?

And did you consider what happens if you put a High frequency signal onto the line? Some of the signal might be affected by the condensator combined with the mic, and a usable signal might gotten of it.

There are some court cases where the police declares that the bad guys forgot to hang up the phone and thus could be listened on... but if that is what technically really happened is a big question.

Re:Preach it

[symbolset]

When the phone is on-hook a minor current is still flowing through it. This is enough for sensitive equipment to pick up the background sound in the room, and this mode of monitoring has actually been used in US court cases, as well as US intelligence gathering operations. It only works with old-school analog phones though.

Re:Preach it

[Dunbal]

You are arguing with a "conspiracy theorist". There is no sense in arguing with a lunatic, especially when your argument is based on "facts".

Re:Preach it

[Dunbal]

See? My point has been proven for me. The "schematic" is wrong, but the "real" phones are different. Didn't you know this? And if you manage to dissect a "real" phone that proves your point then of course you are guilty of tampering with it You did something to it to hide the evidence. In fact, you're one of THEM, aren't you?

Sorry for talking over you, symbolset, but I stopped speaking with the insane a while ago.

Re:Preach it

You didn't actually read the article you cited, did you? Cellphone != any microphone.

Re:Preach it

[symbolset]

Like I said, you're welcome to try any exemplar in the field and give it a go. It's not like you can't get them for $20 on eBay.

Re:Preach it

[Genda]

You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line. Here's a quick list of the most common methods;

• Resistance/Capacitance Bypass
• Capacitance Bypass
• Spare Pair Bypass
• Spare Pair to Microphone Bypass
• Spare Pair to Earpiece Bypass
• Third Wire Bypass
• Ground Return Bypass
• Reversed-Biased Diode Bypass
• Neon Bulb Bypass
• Four-Layer Device
• Ringer
• Handset Wiring Change

Re:Preach it

[Hank+the+Lion]

That's what I expected.
My post was mainly intended for people who might believe his claims.
For them, maybe, facts would be helpful ;-)

Re:Preach it

[thomst]

Headline and summary are both misleading.

The exploit demonstrated is specific to Cisco VOIP phones. No other manufacturer's devices are affected.

Re:Preach it

[Jetra]

Let's see, Red Light Cameras, the recent Counter-terrorism unit getting all our private data, strict gun laws, and now this? I think we might be heading into a George Orwell 1984. All we need now is the censorship police and the removal of the first amendment and we can officially say he was right and that we should have expected this.

Re:Preach it

[2fuf]

Sounds very interesting, but unless you can link to transcripts or other documentation, referring to "court cases" and "intelligence operations" simply counts as weasel words.

Re:Preach it

I did a demonstration of "surreptitious listening device" on Nortel Unistim VoIP phones about 8 years ago. I "bugged" my boss' office to show that it wasn't just theoretical.

I think there was a similar issue with Cisco "Skinny" protocol phones as well at the time.

Re:Preach it

[N!k0N]

Let's see, Red Light Cameras, the recent Counter-terrorism unit getting all our private data, strict gun laws, and now this? I think we might be heading into a George Orwell 1984. All we need now is the censorship police and the removal of the first amendment and we can officially say he was right and that we should have expected this.

And here I figured the flyers saying "Thought Police are double-plus good" at the movie theater were just a joke (it's just a small local/indie place ... not out of the ordinary to have stuff along those lines)

Re:Preach it

[Hank+the+Lion]

Yes, I know the difference.
I have disassembled T65 telephones, myself, and I did not find any difference to the schematic I linked to.
That is why I asked you to post the schematic of the telephones you disassembled that were different.
Unless you can do so, and explain how a telephone off hook can be used to eavesdrop on you, you confirm my opinion that you are a troll.
A moderately competent one, I must say: I'm still feeding you...

Re:Preach it

[Hank+the+Lion]

So if the ringer was ringing and you pick up the phone there might leak some of the 90 V signal into the microphone?

That wouldn't be too good for the microphone.
The switches of the hook are there to prevent that.
They connect/disconnect in such an order that the telephone exchange is signalled that you pick up the receiver so the ringer signal is switched off before the speaker and mic are connected. I once had a telephone where this dis not work properly. When you picked it up at the exact moment of a ring, a loud buzzing sound came out of the earpiece. Not nice.

And did you consider what happens if you put a High frequency signal onto the line? Some of the signal might be affected by the condensator combined with the mic, and a usable signal might gotten of it.

If the receiver is on hook, both mic and speaker are completely disconnected, as you can see.
The capacitor is in series with the ringer, not with mic/speaker.
Please let me know from the schematic (the one I linked to, or another one if mine is not correct for the phone you have in mind) what exact signal pathway you have in mind. "Some of the signal might be affected" is too vague to be refuted or confirmed.

Re:Preach it

[psmears]

When the phone is on-hook a minor current is still flowing through it. This is enough for sensitive equipment to pick up the background sound in the room, and this mode of monitoring has actually been used in US court cases, as well as US intelligence gathering operations. It only works with old-school analog phones though.

Whether there's any current flowing at all will depend on the exact design of the telephone, of course (there wouldn't be any at all in the one I looked at). However, I'm sceptical that any sound could be reliably picked up at the CO: the magnitude of the signal current would likely be dwarfed by the level of background noise from interference etc... if this has been claimed in court cases it seems more likely to me that it's a cover story to hide the actual surveillance techniques used (e.g. modifying the phone / installing bugs / etc).

Re:Preach it

[psmears]

You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line.

If you can modify the phone, it's easy, granted. If you can intercept the line between the phone and the outside line, then with the right design of telephhone there's a possibility you might get something audible. But the claim was that the sound is always relayed all the way to the CO; picking up such a tiny signal at that distance (over all the noise picked up along the way) seems implausible to me.

Re:Preach it

[fluffy99]

Earlier versions of the Cisco VOIP phone firmware allowed users associated with the phone to connect via http and instruct the phone to initiate a voice stream from the phone's mic to another ip address and eavesdrop. The only indication that the mic was active and the phone streaming was a small arrow on the screen. That's since been fixed so that the function starts the voice stream remotely but the phone is muted. This could also be done the other way to stream sounds to the speaker on the phone - I had a bit of fun with that :}

Totally ripped from Batman (prior art)

Totally saw this in a batman movie.

Prior art - totally saw this in a batman movie

Actually using fantasy and sci-fi movies and tv shows I can invalidate all apple patents as well.

Re:Prior art - totally saw this in a batman movie

I think there's some prior art on you comment. Troll harder

Re:Fuck you, Timothy

[wonkey_monkey]

Learn how to put your point across in a calm, reasonable manner, and people might start listening to you.

Re:Fuck you, Timothy

The point is to get to use the word 'fuck' on a public discussion board. Whether somebody listens is fairly irrelevant.

Holy guacamole !

Am I the only one thinking about the Dark Knight here ?

is anyone else having an issue with the link?

[rjr162]

On my phone here, and when I click the link the dark whatever domain appears briefly and tennis appears their page refreshes with this (screwed up) "url"
location: /133696/show/3fd8d00f6b22f3da5506ef43feaf8168/?

Re:is anyone else having an issue with the link?

[rjr162]

Then it became tennis by the magic of fat fingering an extra key and auto-correct!

Re:Fuck you, Timothy

[mrsquid0]

I have often thought that /. should automatically delete any AC post with a karma of -1. There is a potential for abuse, but it would get rid of many of the trolls very quickly.

Nothing new here.

Your cell phone provider hsas always had the ability to track you, and to activate your phone's mic to listen (even when your phone is "off"). Remember when Onstar operators were found out to have listened to conversations whenever they wanted? Onstar is just a built in cell phone. Before phones had GPS, the tracking was less accurate, but could still be done. Now that phones have cameras, they too can secretly actuvated and send pictures taken secretly to your cell provider. So you really are paying for quite a tracking device that can be used to spy on you in several ways.

And police can now download ALL of the info on your phone in less than a minute without a physical connection, and without a warrant if you are stopped for any reason. Some police and highway patrol forces do his routinely at all traffic stops. And you will never know until the day that info is used against you.

And no, I am not a conspiracy nut. Do some research and you will find its all true.

Guys, The Dark Knight was just a movie, right?

[fredmeister]

Right?!

The Dark Knight

Am I the only one getting Dark Knight deja vu from this story?? =P

Dark Knight, anyone?

[SilverBlade2k]

Seriously, did they look at the Dark Knight and say "Hey, that massively illegal cell-phone-Sonar concept was a good idea, lets look into it"