Cisco IP Phones Vulnerable To Eavesdropping Attack

Cisco has confirmed that its Small Business SPA 300 and 500 series IP phones are vulnerable to an unpatched flaw.

The flaw could allow an attacker to listen to the audio stream of a phone call, make calls remotely or even eavesdrop on the area around the device.

“The vulnerability is due to improper authentication settings in the default configuration,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”

Chris Watts, director of Sydney-based Tech Analysis, who discovered the flaw, said it could also be used to turn on a phone’s microphone and listen to sounds in the device’s surrounding environment.

Cisco initially said it didn’t intend to patch the flaw, considering it low-risk, but afterward said it plans to issue a patch.

The flaw affects units running version 7.5.5 of the firmware, but later versions may also be affected, Cisco said.

Firewall protection

Exploitation is made somewhat difficult by the fact that an attacker would need access to the network on which the telephone is installed, with most units likely to be protected by firewalls, Cisco said.

However, security researchers were quick to point out that attackers could locate affected phones directly connected to the Internet using a specialised device search engine such as Shodan.

Until a patch is released, Cisco advised administrators to take workaround measures such as enabling XML Execution authentication in the configuration settings of affected devices.

Are you a security pro? Try our quiz!