Cisco VoIP Phones

Computer scientists find vulnerabilities in Cisco VoIP Phones:

Columbia Engineering Computer Science PhD candidate Ang Cui and Computer Science Professor Salvatore Stolfo found serious vulnerabilities in Cisco VoIP (voice over Internet protocol) phones, devices used worldwide by a wide range of network organizations of governments to banks to large corporations, and beyond. In particular, they have found safety violations concern Cisco VoIP phone technology. At a recent conference on the safety of the devices connected, Cui demonstrates how you can insert malicious code into a Cisco VoIP phone (any model 14 Cisco Unified IP Phone) and start spying private conversations - not only by telephone, but also in around the phone - from anywhere in the world.
"There are only Cisco phones at risk. All VoIP phones are particularly problematic as they are everywhere and reveal our private communications," says Stolfo. "It is relatively easy to penetrate any corporate phone system, phone system any government, any house with Cisco VoIP phones - are not safe."
Cui and Stolfo analyzed phone firmware (the software that runs on the computer on the phone) and they were able to identify many vulnerabilities. They are particularly concerned with integrated systems that are widely used in network and via the Internet, including VoIP phones, routers and printers, and have focused their research on developing new advanced security technologies to protect these systems.
"The binary firmware analysis is commonly used to identify faulty software hackers 'white hat' and scientists and security researchers like our team," says Stolfo. "We conducted this analysis to demonstrate a defense technology, software called symbionts, which protects them from exploitation."
Symbionts software is designed to protect embedded systems from attacks malicious code injection in these systems, including routers and printers.
"This is a defense mechanism that is based on host code structure inspired by a natural phenomenon known as defensive symbiotic mutualism," said Cui. "The symbiote is especially suitable for embedded systems with sophisticated reinforcement legacy host-based defenses."
The researchers see these symbionts as a sort of digital lifestyle that coexists well with arbitrary executables in a mutually defensive. "They draw computing resources (CPU cycles) from the host at the same time protecting the host against attacks and exploitation," said Cui. "And, because they are so diverse in nature, which can provide self-protection against direct attack by adversaries that directly affect host defenses."
"We envision an architecture for general purpose computing systems consisting of two mutual defense by a machine that is embedded Symbiote autonomous, distinct and unique to each instance of a host program," says Stolfo. "The symbiote can reside within any arbitrary body of software, regardless of its place in the system stack. Could be injected into a host arbitrary in many different ways, while your code can be" random "for a number of well known methods. "
The symbiote, which at runtime is required by your host to run successfully for the host to operate, then monitors the behavior of its host to make sure it is working properly, and if not, the host stops to damage. Removal or attempted removal of the Symbiote host makes inoperable.
"The beauty of the Symbiote", Cui says, "is that it can be used to protect all types of embedded systems, from phones and printers to ATMs and even cars -. Systems we all use every day"
Cisco has since released a patch to fix these vulnerabilities, but is ineffective. "It does not solve the fundamental problems we have pointed to Cisco," said Cui. "I know of no solution to solve the systemic problem with the firmware Cisco IP Phone, except Symbiote technology or rewrite the firmware. We intend to demonstrate your Cisco IP Symbiote protected at an upcoming conference."

Research carried out by Stolfo and Cui was funded by DARPA (Defense Advanced Research Projects Agency), IARPA (Intelligence Advanced Research Projects Activity), and DHS (Department of Homeland Security).