Researchers Convert Phones Into Secret Listening Devices

CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"

Physical access?

[cloudmaster]

As part of the demonstration, Cui inserted and removed a small external circuit board from the phone's Ethernet port

Seems like it'd be easier to just slap a traditional bug under the filing cabinet if you're going to need physical access anyway. And maybe leave behind a hardware keylogger while you're at it. Possibly also an annoyatron. :)

Re:Physical access?

[hidden]

I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.

Re:Physical access?

[hawguy]

I dunno. Not leaving any hardware behind to be discovered seems like it might have SOME value.

Besides, when you use the phone as your bug, you don't need to worry about a power source. Gaining entry to an office as a part of the janitorial company seems like a trivial exercise for someone determined to steal corporate secrets.

Of course, the drawback is that this would be trivial to detect with a simple IDS system: "Hey, why does the conference room phone keep sending data to a Verizon Wireless IP address?". While a traditional bug would require an RF sweep to find it - and if it saves up conversations and sends them out in a short burst, it can be nearly impossible to find without constant surveillance.

Re:Physical access?

[TheRaven64]

I saw the exploit demonstrated about a month ago (when it was still not yet public, but after Cisco had been told about it). It doesn't require physical access, but it does require you to be able to run something on the local network. (From slightly fuzzy memory:) The phones have some hard-coded settings which tell them about the correct server to use for getting the configuration data. They fetch this on every boot. Tripping a power circuit can cause the phones to reboot (I think they do every few days anyway, to get updates), and once you've done that then you've can use that phone to exploit the others. Getting root is simple, because the OS has a number of system calls that don't properly validate their arguments. Once you've done that, it's entirely a software bug, and it's in a system that is not designed for sysadmins to run code on, so your IDS probably won't catch it.

That said, in a sensible deployment, you should have the SIP phones on a separate VLAN and only allow them to send TFTP packets to the authorised boot server. In this configuration, the first step of the exploit won't work unless you previously pwn the boot server, the switch (and, let's face it, they probably run IOS, so it's not that hard...), or have physical access.

By the way, this is the same guy who previously discovered an exploit for a load of HP printers, allowing you to do things like have them email copies of any documents that are printed on them to some external site. He had quite a cute demo, which involved using a previously-pwned printer to hijack the phone network, so it's important to remember to have the phones and the printers on separate networks. And not to allow printers to connect to the outside world...

Re:Preach it

[maxwell+demon]

But is normally is not a listening device.

Now that exploiting a device with a microphone can turn it into a listening device isn't exactly new either (I remember having heard the same about ISDN phones quite some time ago). However that doesn't change the fact that there's still a huge gap between tracking and listening.

Re:Preach it

[maxwell+demon]

The rotary phones I knew mechanically disconnected the line when the cradle was pressed. Of course if you had removed the receiver from the cradle and still thought you were not connected anywhere just because you had not dialled a number, you were stupid. You just would have had to listen to it to know that it was connected to somewhere. Note that unpressing the cradle was not possible remotely. Of course someone might have physically modified the phone, but that's on the same level as installing a bug.

Also note that the ISDN phones I was speaking of weren't cell phones either. I don't think there's a wireless version of ISDN. They had not been rotary phones, though.

Re:Preach it

[symbolset]

I get +2 automatically because I have high Karma and I'm a subscriber. You get +1 for each of those. You could get the subscriber bonus for about $1/month. The high karma thing you have to work at. Karma is easier to get and lose though when all of your posts are +1 because you're a subscriber.

I could discount these in my settings, and I used to. Most subscribers with high Karma do, as they consider posting at 3 "shouting". If my Karma falls back to normal, I probably will do that. Once upon a time I had such bad Karma I was posting at -1. But I recovered.

I would still post just at 1, but the retarded sockpuppets and idiots do need shouting down with confidence. The price I pay for this is that I almost never get mod points.

Re:Preach it

[psmears]

I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.

I have done so, and what you say makes no sense. The old carbon microphones require a current flowing through them in order to produce any signal, and that current draw is what signals to the CO that the receiver is off-hook. Therefore the microphone has to be disconnected from the line when the phone is on-hook (or else the CO would see the phone as permanently off-hook) and that is indeed the case in actual phones.

Re:Preach it

[Hank+the+Lion]

I'm guessing you never disassembled one to see how it actually worked. I did. Go ahead and find an exemplar and give it a go.

OK, here is the schematic of the most widely used mechanical telephone in The Netherlands: the T65.
When the telephone is on hook ("hoorn"), only the ringer (bel) is connected to the line.
I really cannot think of another arrangement: the ringer voltage is high (100V?) so you don't want that appearing over your mic or speaker.
Please share with us the schematic of the phones you disassembled, or are you really a troll?

Re:Preach it

[Genda]

You may want to do a little research on "Passive HookSwitch Bypass Methods". Most require modifications to the phone itself, but not all, that is some of these methods can be accomplished between the phone and outside service line. Here's a quick list of the most common methods;

• Resistance/Capacitance Bypass
• Capacitance Bypass
• Spare Pair Bypass
• Spare Pair to Microphone Bypass
• Spare Pair to Earpiece Bypass
• Third Wire Bypass
• Ground Return Bypass
• Reversed-Biased Diode Bypass
• Neon Bulb Bypass
• Four-Layer Device
• Ringer
• Handset Wiring Change

Re:Preach it

[thomst]

Headline and summary are both misleading.

The exploit demonstrated is specific to Cisco VOIP phones. No other manufacturer's devices are affected.