Could Your Office Phone be Hacked Into an Eavesdropping Device?

By Bob Sullivan

High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.

The hack, demonstrated for NBC News, allows the researchers to turn on a telephone's microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.

Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks.  For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone's LED light to stay dark when the phone's microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked.

The flaw involves software running on Cisco's popular Internet Protocol telephones. Cisco acknowledged the flaw in a statement to NBC News, but wouldn't say how many of its phones were impacted. In a blog post earlier this year, the company -- the leading IP phone maker, with about one-third of the market -- said it had just surpassed 50 million in phone sales.
In a vulnerability announcement sent to paying customers in December, Cisco listed 15 phone models impacted by the problem.  

Cisco's statement indicated that the company is working on a fix, and the firm told NBC News that it planned to issue a security bulletin next week. But Stolfo said he is "very worried about the speed with which Cisco is handling this."

The research was conducted under a grant from the Defense Advanced Research Projects Agency (DARPA), an arm of the Defense Department devoted to computer security, and conducted at the Computer Science Department of Columbia University’s School of Engineering and Applied Science. The same lab caused a global stir in 2011 when it published a hack of Hewlett Packard printers.

The Columbia lab focuses on so-called "embedded devices" -- computer chips in non-PC gadgets, such as televisions, thermostats or telephones. Increasingly, all these gadgets are networked and connected to the Internet, and therefore can be hacked remotely.

"These phones are really general purpose computers jammed into a plastic case that makes you think it's a phone," Cui said. "Just because it doesn't have a keyboard doesn't make it less of a computer.”
Cisco's IP phones -- and other models that use the same chipset -- are open to attack because they routinely connect to a central server looking for updated instructions, according to Cui.  That creates an avenue for a hacker to insert rogue code, he said.

But he also maintained that there are multiple scenarios that would allow for a remote attack.
Escalation would be one way: An outsider could trick a worker into clicking on a virus-laden email attachment, infect the worker’s computer and then use that computer to attack a phone from inside a company’s network, he said.  But the researchers say other flaws exist that would allow the phone to be attacked directly from outside the company.
"It also works the other way," Cui added. "You could attack the network, and then attack a single person's phone. Say, the CEO, at home."

Stolfo said it was critical to come forward with the Cisco flaw now because the company isn't working fast enough to fix it.

"What we're doing is trying to alert the manufacturer to not provide the opportunity to hackers to break into our phones," he said. "What we're asking them to do is like asking automakers to put seatbelts into cars to save lives."
 
The researchers have not released their attack code, so would-be criminals cannot simply copy their work and attack Cisco phone systems today, and there is no evidence that a hacker has exploited this vulnerability in the real world. They do believe others will successfully -- and independently -- duplicate their research, however, placing Cisco is in a race with hackers, and Cui thinks it’s possible that has already happened.

"I'd be surprised if someone else hasn't already done this," Cui said.