Answer

How to review VoIP phone security amid Cisco IP phone vulnerabilities

Following the recent disclosure of security holes in Cisco-branded VoIP phones, how can companies go about testing the security of VoIP phones, and specifically the Cisco-branded phones that were affected by this disclosure?

    Requires Free Membership to View

Ask the Expert!

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

The short-term outlook for VoIP phone security is pretty dim. The most notable of the recent Cisco IP phone vulnerabilities involves the exploitation of the speakerphone function, which is available in basically all of Cisco's VoIP phones. The vulnerability makes the phone act as an eavesdropping bug, recording all of the conversations within the immediate vicinity.

Shortly after these issues were discovered, Cisco released a patch in response to these vulnerabilities, but all indications are that the patch was ineffective. The problem lies in the firmware that Cisco IP phones utilize, along with the lack of validation system calls made to the kernel conduct. Simply put, malicious users can manipulate areas within the phone's operating system to access other areas within the same operating system to which they would normally not have access. A permanent patch will require rewriting the firmware, which will take some time to develop.

Until these vulnerabilities are mitigated, I would approach this problem from an overall intrusion standpoint. Basically, this involves increasingly more log monitoring, especially when it comes to any ports involved with VoIP. For example, monitoring UDP port 5060 would be a good place to start. Have one of your more experienced security professionals monitor your logs and look for any anomalies. I know. I know. This approach is highly unautomated, but until an effective patch is released, a certain amount of manual labor will be necessary to use VoIP phones in a safe fashion. At a minimum, before engaging in sensitive conversations when a VoIP phone is present, make sure that the speakerphone function has not been engaged.

This was first published in April 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: