Unified Communications Industry News

TMCNet:  Security Researcher Demonstrates Enterprise VoIP Phone Hack at Recent Amphion Forum

[December 12, 2012]

Security Researcher Demonstrates Enterprise VoIP Phone Hack at Recent Amphion Forum

SAN FRANCISCO --(Business Wire)--

During the recent Amphion Forum, a conference where device and mobile security experts from different disciplines gather, Ang Cui, a fifth-year grad student from the Columbia University Intrusion (News - Alert) Detection Systems Lab, demonstrated how connected devices such as networked printers and voice-over-IP (VoIP) phones can be easily hijacked to give intruders virtually unlimited remote access to extremely sensitive information and allow them to eavesdrop on private conversations. The Amphion Forum is hosted by Mocana, a leader in device and mobile security.

Using a common Cisco (News - Alert)-branded VoIP phone, Cui inserted and then removed a small external circuit board from the phone's Ethernet port-something Cui asserted could be easily accomplished by a company visitor left unattended for a few seconds-and starting using his own smartphone to capture every word spoken near the VoIP phone, even though it was still 'on-hook.' While he did not specify the precise vulnerability, Cui said it allowed him to patch the phone's software with arbitrary pieces of code, and that this allowed him to turn the Off-Hook Switch into what he called a "funtenna." According to Cui, once one phone is compromised, the entire network of phones is vulnerable. Cui later said he could also perform a similar exploit remotely, without the need to insert a circuit board at all.

The vulnerability Cui demonstrated was based on work he did over the last year on what he called 'Project Gunman v2', where a laser printer firmware update could be compromised to include additional, and potentially malicious, code. With this, it becomes possible to remotely compromise a printer located within the organization's firewall and eavesdrop on documents being printed or stored, without ever setting foot n the premises. The compromised printer could then be used to launch other attacks on the internal network. The demonstration at the Amphion Forum in San Francisco took such an attack even further.

Cui pointed out that current security solutions don't work with embedded systems like VoIP phones and printers and code signing isn't enough. "Signing files doesn't make the files secure," Cui said.

He also said that routers, printers and phones are general-purpose computers without host-based intrusion systems or antivirus protection built in, so they make attractive targets. Further, they often lack encryption for data in motion or at rest.

Cui's research was carried out as part of a DARPA CRASH (from the I2O office) and IARPA Stonesoup Program, and he recently briefed agencies of the U.S. federal government about the potential for a serious attack on all its Cisco Unified VoIP phones.

"The VoIP phone vulnerability demonstrated at the Amphion Forum was a stark reminder of the need to address the device security mess. The sad fact is that most devices connected to corporate networks, like printers and VoIP phones, are almost totally unsecured," said Kurt Stammberger, CISSP, vice president of market development at Mocana (News - Alert) and chair of the Amphion Forum. "The Amphion Forum is a unique event where thought leaders from academia, business, government and technology can gather to discuss the threats and opportunities presented by the unprecedented proliferation of mobile and connected devices that are creating the Internet of Things."

The Amphion Forum was founded to provide a medium for stakeholders in the smart device economy to share solutions and forge a clear direction for the future of the Internet of Things. The most recent event was held in San Francisco on December 5 and attracted more than 350 participants and thought-leader presenters, making it the largest and most successful Amphion event since it was founded in 2011. Event organizers believe that by fostering a World Economic Forum-type environment, where big thinkers can share ideas for some of the most pressing issues facing the global device infrastructure, safer medical electronics, increased energy security and more secure industrial automation. For more information on the Amphion Forum, please visit www.amphionforum.com.

About Mocana

Launched in 2004 and recognized by the World Economic Forum as a 2012 Technology Pioneer, Mocana provides the only device-independent security platform that secures all aspects of mobile and smart connected devices, as well as the apps and services that run on them. Mocana's solutions dramatically increase confidence and compliance for the enterprise, OEMs, service providers and their customers. Millions of people use products sold by the more than 200 companies that rely on Mocana's solutions, including Cisco, Honeywell, Dell (News - Alert) GE and General Dynamics, as well as four of the top five Android handset makers. For more information, visit www.mocana.com.

[ Back To Unified Communications's Homepage ]

Request a Quote
Become a Partner
White Papers
FusionWorks Buyer's Guide
FusionWorks is a cloud-based business communication service that combines the cost saving advantages of a Hosted PBX service with the productivity power of Unified Communications (UC)...
Cloud Solutions Take the Stress Out of Moving Offices
Moving offices or opening a new location can be a serious challenge.The logistical hurdles can be daunting...
Case Studies
Gilbane Company Building
Gilbane works on large construction projects that typically last about 1-3 years. As a result, project trailers need to be equipped with a state-of-the-art phone solution but capital cost constraints prohibit purchasing equipment that will only be used for a few years...
Sable Natural Resources
Sable Natural Resources required a more flexible voice solution with advanced capabilities in combination with cost savings...
Product Sheets
FusionWorks is a cloud-based phone, conferencing, messaging and collaboration service that combines the cost savings of cloud services with the productivity of Unified Communications (UC)...
Web Collaboration
Fusion Web Collaboration is a web and video conferencing tool for hosting online meetings, webinars and training...