Categories: Security

Cisco IP Phones Vulnerable To Eavesdropping Attack

Cisco has confirmed that its Small Business SPA 300 and 500 series IP phones are vulnerable to an unpatched flaw.

The flaw could allow an attacker to listen to the audio stream of a phone call, make calls remotely or even eavesdrop on the area around the device.

“The vulnerability is due to improper authentication settings in the default configuration,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”

Chris Watts, director of Sydney-based Tech Analysis, who discovered the flaw, said it could also be used to turn on a phone’s microphone and listen to sounds in the device’s surrounding environment.

Cisco initially said it didn’t intend to patch the flaw, considering it low-risk, but afterward said it plans to issue a patch.

The flaw affects units running version 7.5.5 of the firmware, but later versions may also be affected, Cisco said.

Firewall protection

Exploitation is made somewhat difficult by the fact that an attacker would need access to the network on which the telephone is installed, with most units likely to be protected by firewalls, Cisco said.

However, security researchers were quick to point out that attackers could locate affected phones directly connected to the Internet using a specialised device search engine such as Shodan.

Until a patch is released, Cisco advised administrators to take workaround measures such as enabling XML Execution authentication in the configuration settings of affected devices.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

54 mins ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

16 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

19 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

20 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

21 hours ago