According to an advisory issued by the company, the vulnerability resides in the firmware used by the Cisco Small Business SPA 300 and 500 series IP phones, and could allow an unauthenticated, remote attacker to not just listen to the audio stream of IP conversations.
Vulnerability researcher Chris Watts, who uncovered the flaw, told ITNews that he found three vulnerabilities in the devices, the most serious of which (CVE-2015-0670) could allow remote hackers to make calls remotely, or even spy on conversations occurring near to the phone:
“An attacker could exploit this vulnerability and remotely turn on a phone’s microphone and eavesdrop from anywhere in the world,” Watts said.
This included being able to hear not just the phone conversations, but sounds in the device’s surroundings – all without victims noticing the interception is taking place.
“Imagine the phone in your office or boardroom streaming conversations to your competitors,” Watts said.
Apparently, the attack relies upon specially-crafted XML requests being sent to the at-risk devices.
Version 7.5.5 of the phone firmware is said to be vulnerable, although other more recent versions could also be at risk.
Cisco says it is working on a patch, which hopefully will be made available soon, but in the meantime advises that administrators enable XML Execution authentication in the configuration settings of vulnerable phones.
Although some might imagine that the chances of an IP phone being exploited by attackers is remote, it would be wise to ensure that your systems are locked down and internet-connected devices are not unnecessarily exposed.
After all, there are specialist search engines like Shodan which are designed to reveal exposed internet-enabled devices such as webcams, routers and IP phones.
Remember. You need to be careful about everything you plug into the internet…
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.