Following the recent disclosure of security holes in Cisco-branded VoIP phones, how can companies go about testing the security of VoIP phones, and specifically the Cisco-branded phones that were affected by this disclosure?
Ask the Expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
The short-term outlook for VoIP phone security is pretty dim. The most notable of the recent Cisco IP phone vulnerabilities involves the exploitation of the speakerphone function, which is available in basically all of Cisco's VoIP phones. The vulnerability makes the phone act as an eavesdropping bug, recording all of the conversations within the immediate vicinity.
Shortly after these issues were discovered, Cisco released a patch in response to these vulnerabilities, but all indications are that the patch was ineffective. The problem lies in the firmware that Cisco IP phones utilize, along with the lack of validation system calls made to the kernel conduct. Simply put, malicious users can manipulate areas within the phone's operating system to access other areas within the same operating system to which they would normally not have access. A permanent patch will require rewriting the firmware, which will take some time to develop.
Until these vulnerabilities are mitigated, I would approach this problem from an overall intrusion standpoint. Basically, this involves increasingly more log monitoring, especially when it comes to any ports involved with VoIP. For example, monitoring UDP port 5060 would be a good place to start. Have one of your more experienced security professionals monitor your logs and look for any anomalies. I know. I know. This approach is highly unautomated, but until an effective patch is released, a certain amount of manual labor will be necessary to use VoIP phones in a safe fashion. At a minimum, before engaging in sensitive conversations when a VoIP phone is present, make sure that the speakerphone function has not been engaged.
This was first published in April 2013