Here's Bjoern Rupp, the CEO of GSMK Cryptophone, explaining why Cisco VoIP phones are such a profitable target for the law breaking community.
Modern VoIP phones are specialised computers that just happen to look like phones. So they can be attacked at many different points, ranging from the communication protocols to planting trojan horses in the devices' operating software. It's laptops and desktop PCs all over again.
In their AusCERT lecture, Chris Gatford and Peter Wesley focus a lot on problems specifically associated with Cisco phones and the Cisco Call Manager software. But the underlying problems affect most other VoIP phones, too.
Take protocols. The SIP protocol used by most current VoIP systems is very complex with a huge software footprint and a multitude of extensions and add-ons that pose exploitable security risks. In addition, many corporate VoIP systems conduct few authentication checks. So it's possible for an attacker to re-route traffic by means of, for example, ARP flood attacks on IP switches or by assigning false subnet masks and router addresses.
On the device side, most modern VoIP phones can be maliciously re-programmed and exploited. Programme code in the phones can be remotely updated and modified, enabling an attacker to remotely control a phone, e.g. by using it as a tool to bug a conference room.
Can I do it? Or do you need specialist knowledge and equipment?
You can certainly do it, especially if your local IT system administrator did not pay much attention to VoIP-related security issues. Apart from a regular desktop computer, no special equipment is required. A certain extent of specialist knowledge is however very helpful if you were to exploit the full spectrum of VoIP phone vulnerabilities.
What damage can be done?
Just imagine the damage if you could control all phones in a given organisation - almost everything is possible, from disclosing confidential phone calls, turning phones in conference rooms in fully-equipped bugging equipment, telephone fraud, to crashing the local switch and removing all traces of the intrusion.
This was first published in May 2011