Columbia University engineers have discovered a major vulnerability in many VoIP phones – used widely around the world by governments, banks and major corporations.
They say it’s easy to insert malicious code into a Cisco VoIP phone and start eavesdropping on private conversations — not just on the phone but also in the phone’s surroundings — from anywhere in the world.
“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” says computer science professor Salvatore Stolfo.
“It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones — they are not secure.”
The team says that an analysis of the phones’ firmware showed many vulnerabilities. If a hacker can gain access to an IP phone, they say, it’s possible to rewrite its software within seconds. It’s then possible, for example, to eavesdrop on calls or turn on the phone’s webcam.
Cisco has since released a patch to repair these vulnerabilities – but the team says it doesn’t work. “It doesn’t solve the fundamental problems we’ve pointed out to Cisco,” says doctoral candidate Ang Cui.
But the team has its own solution: Software Symbiotes, designed to safeguard embedded systems from malicious code injection attacks.
“This is a host-based defense mechanism that’s a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism,” says Cui. “The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defenses.”
“We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”