Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping

Posted by samzenpus on from the protect-ya-neck dept.

Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."

2 of 45 comments (clear)

  1. Re:So lemme get this right: by Anonymous Coward · · Score: 4, Insightful

    > Normally, your phone is not reachable by the public network, the attacker has to be within the LAN to sent an XML packet to your phone

    Thanks for the clarification. So "within the LAN" as in "my smart TV, which is acting on behalf of the vendor anyway", or "my laser printer, which can be subverted with this little PDF"?

    So technically you're right, and thanks for the info, but relying on this classical "inside: all friends; outside: the evil" is a bit unrealistic these days, where your food processor is awaiting to become the next attack bridgehead due to some murky flash vulnerability.

    I think it's the damned responsibility of those appliance vendors towards their customers to own up to each of those vulns and to do their best to fix 'em instead of having some PR Department blowing hot air in the general direction of their customers.

  2. Re:Have IPv6-only phones by ledow · · Score: 4, Insightful

    "Hiding" the phones among the IPv6 ranges is just stupid and not "security" at all (literally, security by obscurity!).

    Even then, chances are that there's a range of consecutive IP's and just block-scanning through the IP's at random (say, scan every sensible address suffix because most people will start them on something sensible) will narrow it down quite quickly before you'll notice anything's happened. And chances are that most people will split at the usual boundaries, use the same IPv6 range (or the next one up) as their web servers are on, etc.

    As stated above, the phones themselves have NO need to be on a public network. Push them through a VPN or similar if you really must but they should be on their own VLAN anyway (so you can QoS them properly and easily) and they shouldn't require direct access to the Internet anyway (the voice gateway is another matter that's separately handled).

    But, better, stop buying, producing and selling devices that have debug interfaces that let you do ANYTHING on the device, remotely, without authentication. Because that's so dumb it's orders of magnitude more dumb than trying to hide your IP ranges in a IPv6 haystack.