Cisco VoIP Hacker Urges Closer Look at Firmware Security Vulnerabilities

Ang Cui’s “Funtenna” is just the latest eye-opener into the security of embedded networked devices such as printers, VoIP phones, routers and other core, connected infrastructure.

Ang Cui’s “Funtenna” is just the latest eye-opener into the security of embedded networked devices such as printers, VoIP phones, routers and other core, connected infrastructure.

The Columbia University PhD candidate’s recent hack of a Cisco-branded VoIP phone demonstrates the risk posed by ubiquitous, non-traditional endpoints running on vulnerable firmware that can be abused by an attacker. Such attacks are difficult to detect and remediate, and also can offer a malicious outsider persistent access to networked resources.

Cui’s hack, presented recently at the Amphion Forum in San Francisco, exploited a kernel-level vulnerability and gave him elevated privileges on a Cisco VoIP phone, essentially turning into a listening device. Cisco issued a patch for the device, but Cui and his advisor Salvatore J. Solfo said the patch was version specific and a slight modification made to the exploit could bypass the repair.

“The idea is that once you compromise the phone, to use the microphone to listen to what is going on in the room whether the phone is on the hook or not,” Cui told Threatpost. “Once you compromise the phone, you can use the phone as a general-purpose computer to attack other phones or devices on the network. It’s like a self-propagating worm that can attack a phone, printer, router, access points—all behind the firewall. The attacker has persistent presence on the network.”

Cui did a demonstration of the attack recently where he installed an external circuit board into the phone’s standard phone jack plug. The exploit was then transferred over Bluetooth from his smartphone to the Cisco phone’s file system, which restores the binary and executes the exploit, Cui said.

He added that he will demonstrate the same exploit, except this time remotely over a network, at an upcoming security conference.

“The remote attack doesn’t require attacking standard network service protocols,” Solfo said. “We are using them only because of the opportunity provided by them to reach the phone. Cisco has to figure out how to prevent this from happening.”

Cui said that unlike previous attacks against Cisco VoIP phones, this one enables kernel-level access.

“There’s no configuration change require, or a mistake on the part of the user,” Solfo said. “We are utilizing a mistake on the part of the vendor.”

Cui added that it’s possible that once an attacker has exploited such an embedded device, he could burn malware persistently onto the flash chips inside a device without it being reviewed and regardless of a patch.

Overall security measures for firmware and other embedded hardware vulnerabilities have notoriously been difficult to deal with. Traditional signature-based detection won’t work, experts say, because updating a signature database isn’t feasible with firmware.

Cui and Solfo have developed a countermeasure they call Symbiote, security software that is embedded into the firmware. Symbiote dynamically and continuously checks whether the firmware has been rewritten.

“The only way to defend them is to ensure the firmware has not changed in any way,” Solfo said. “This is a more generic whitelisting approach.”

Solfo said he and Cui have started a company and already have a government contract to develop technology that can inject Symbiote into aribitrary firmware.

“It’s really important to look under the covers with embedded firmware,” Solfo said. “The approach of others is compiling encryption libraries into firmware, which does nothing. Antivirus needs to be updated routinely; how do you do that with a phone or a printer? There’s no infrastructure to do this.”


Suggested articles

Gang Up on the Problem, Not Each Other

The security community often thrives on controversy, but when it comes to vulnerability disclosures in life-saving medical devices, ego and attention-grabbing must be put aside.

12 Million Home Routers Vulnerable to Takeover

Check Point has disclosed few details on a cookie vulnerability in the RomPager webserver running inside 12 million embedded devices. The flaw puts home routers at risk to attack.