Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters

Avaya is expected to patch zero-day vulnerabilities in its latest one-X IP phones. The vulnerabilities and an exploit will be demonstrated this week at RSA Conference 2014.

SAN FRANCISCO — Two zero-day vulnerabilities in Avaya’s latest one-X 9608 IP telephones have been discovered and are expected to be patched on Friday by the provider.

Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, will demonstrate an exploit and provide details on the previously unreported vulnerabilities during a presentation, also on Friday at RSA Conference 2014.

Cui has previously discovered zero-days in other network enabled embedded devices. He said the Avaya bugs are remotely exploitable, the exploits are relatively simple, and potentially millions of phones are at risk (Avaya and Cisco are IP phone market share leaders).

“It will absolutely compromise the phone remotely,” Cui said. His presentation will include a demonstration of a worm he wrote that remotely exploits the bug and exfiltrates raw audio data by turning the circuit board into a radio transmitter.

“It will do real-time speech detection and transmit a text transcript,” Cui said.

Dr. Salvatore J. Stolfo, a director at Red Balloon and advisor at Columbia University where Cui is a Ph.D. candidate, said the phone will continue to function as intended, but will also be turned into a listening post.

“With the receiver on the hook, the phone will transmit over the network,” Stolfo said. “You can spy on someone in an office if you are able to inject malcode remotely.”

The exploit, Cui said, bypasses security appliances scanning for malicious outgoing network traffic. He said the same attack is applicable to other embedded network devices such as printers and routers.

Cui and Stolfo said an attacker would be able to pivot from other vulnerable embedded devices on the network as well, again eluding detection by IPS and other security technology. Cui’s worm, for example, begins with a printer exploit of a 2011 firmware vulnerability which replaces the existing code with malicious firmware. An attacker would need to entice the victim to print, for example, an attachment containing the embedded malicious firmware. Once executed, the malware establishes a backdoor and awaits commands; the attacker could scan for other embedded devices such as IP phones and routers listening on the same port.

More than a year ago, Cui demonstrated an attack against a Cisco VoIP phone that also turned it into a listening device. He was able to put code on the phone by installing—and then removing—an external circuit board from the Ethernet port on the phone. Then using his smartphone, Cui was able to spy through the phone even though its Off-Hook switch was enabled. Cui said he was also able to pull of the same attack remotely, without the need for physical access to the device.

Suggested articles