Friday, November 30, 2007

Eavesdropping Is Possible On Cisco IP Phones

Cisco confirms that an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream. This ability can be exploited to perform a remote eavesdropping attack. All Cisco IP Phones that support the Extension Mobility feature are vulnerable.

For this attack to be possible, several conditions need to be satisfied:

  • The internal web server of the IP phone must be enabled. The web server is enabled by default.
  • The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
  • The attacker must possess or obtain valid Extension Mobility authentication credentials.

Extension Mobility authentication credentials are not tied to individual IP phones. Any Extension Mobility account configured on an IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack.

To obtain Extension Mobility authentication credentials, an attacker needs physical access to the network to sniff credentials. This can be accomplished by inserting a sniffing device between an IP phone and switch port.

Before eavesdropping can occur, the user who is logged into the IP phone via Extension Mobility must first be logged off of the IP phone. This can be accomplished by sending an Extension Mobility logout message to the IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server.

If exploitation is successful, any IP phone that is undergoing an eavesdropping attack will have its speaker phone status light enabled, and the phone will display an off-hook icon that indicates an active call is in progress. Internal testing by Cisco also revealed that the described attack produced static noise on the IP phone while it was under attack.

Workarounds

There are workarounds to combat this attack:

  • Disable the internal web server on IP phones.
  • Disable the Extension Mobility feature on IP phones.
  • Disable the speaker phone / headset functionality on IP phones.

This attack can also be mitigated by restricting access to the internal web server of IP phones (TCP port 80) using an access control list (ACL).

For more information about Cisco-recommended best practices for securely deploying Cisco Unified IP Phones, reference this link:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008085f858.html#wp1045452

Cisco Response

This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007 security conference by Joffrey Czarny of Telindus regarding a technique to remotely eavesdrop using Cisco Unified IP Phones.

The original report is available at the following link:

http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf

We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.

This Cisco Security Response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

0 comments:

Blog Widget by LinkWithin