Network-enabled devices such as routers and printers are notoriously insecure and fully exploitable gateways leading attackers toward network resources. A researcher and PhD student at Columbia University recently added VoIP phones to the list of pressing concerns.
Ang Cui demonstrated an attack against a Cisco-branded phone where he was able to put code on the phone by installing—and then removing—an external circuit board from the Ethernet port on the phone. Then using his smartphone, Cui was able to turn the phone into a listening device even though the phone’s Off-Hook switch was enabled.
Cui said he was also able to pull off another exploit, this time remotely, with similar results and without the need for physical access to the phone. Cui said the circuit board attack could easily and quickly be done by someone with physical access. He added that the compromise of one phone would put an organization’s network at phones at risk.
Cisco said the issue was patched in November (Bug ID: CSCuc83860).
“We can confirm that workarounds and a software patch are available to address this vulnerability, and note that successful exploitation requires physical access to the device serial port, or the combination of remote authentication privileges and non-default device settings,” Cisco said in a statement.
Cui demonstrated the attack at the recent Amphion Forum in San Francisco. He went down this road after a similar project with network-connected laser printers called Project Gunman. Cui was able to hack the printer’s firmware update and add malicious code. The code enables remote compromise of the printer inside the firewall; an attacker could steal documents with needing to physically be in the same building as the printer.
Cui said he could also use the printer as a launch pad for other network attacks.
Cui, who has also demonstrated other research on embedded devices, said that traditional security measures are not built in to these network-enabled devices making them attractive targets. Recently, US-CERT warned users of certain Samsung and Dell printers that a hardcoded password was discovered. Attackers could use this built-in authentication to remotely hack in to an organization. The attacker could also modify printer configurations, access device or network information, device credentials and anything else passed to the printer.