VoIP News
VoIP Providers
VoIP Books
VoIP Software
VoIP Jobs
VoIP Events Calendar
VoIP FAQ
Archives
Contact
About
Security Researcher Demonstrates Enterprise VoIP Phone Hack at Recent Amphion Forum
During the recent
Amphion Forum
, a conference where device and mobile security experts from different disciplines gather, Ang Cui, a fifth-year grad student from the Columbia University Intrusion Detection Systems Lab, demonstrated how connected devices such as networked printers and VoIP phones can be easily hijacked to give intruders virtually unlimited remote access to extremely sensitive information and allow them to eavesdrop on private conversations. The Amphion Forum is hosted by Mocana, a leader in device and mobile security.
Using a common Cisco-branded VoIP phone, Cui inserted and then removed a small external circuit board from the phone’s Ethernet port—something Cui asserted could be easily accomplished by a company visitor left unattended for a few seconds—and starting using his own smartphone to capture every word spoken near the VoIP phone, even though it was still ‘on-hook.’ While he did not specify the precise vulnerability, Cui said it allowed him to patch the phone’s software with arbitrary pieces of code, and that this allowed him to turn the Off-Hook Switch into what he called a “funtenna.” According to Cui, once one phone is compromised, the entire network of phones is vulnerable. Cui later said he could also perform a similar exploit remotely, without the need to insert a circuit board at all.
The vulnerability Cui demonstrated was based on work he did over the last year on what he called ‘Project Gunman v2’, where a laser printer firmware update could be compromised to include additional, and potentially malicious, code. With this, it becomes possible to remotely compromise a printer located within the organization’s firewall and eavesdrop on documents being printed or stored, without ever setting foot on the premises. The compromised printer could then be used to launch other attacks on the internal network. The demonstration at the Amphion Forum in San Francisco took such an attack even further.
Cui pointed out that current security solutions don’t work with embedded systems like VoIP phones and printers and code signing isn’t enough. “Signing files doesn’t make the files secure,” Cui said.
He also said that routers, printers and phones are general-purpose computers without host-based intrusion systems or antivirus protection built in, so they make attractive targets. Further, they often lack encryption for data in motion or at rest.
Cui’s research was carried out as part of a DARPA CRASH (from the I2O office) and IARPA Stonesoup Program, and he recently briefed agencies of the U.S. federal government about the potential for a serious attack on all its Cisco Unified VoIP phones.
“The VoIP phone vulnerability demonstrated at the Amphion Forum was a stark reminder of the need to address the device security mess. The sad fact is that most devices connected to corporate networks, like printers and VoIP phones, are almost totally unsecured,” said Kurt Stammberger, CISSP, vice president of market development at Mocana and chair of the Amphion Forum. “The Amphion Forum is a unique event where thought leaders from academia, business, government and technology can gather to discuss the threats and opportunities presented by the unprecedented proliferation of mobile and connected devices that are creating the Internet of Things.”
The Amphion Forum was founded to provide a medium for stakeholders in the smart device economy to share solutions and forge a clear direction for the future of the Internet of Things. The most recent event was held in San Francisco on December 5 and attracted more than 350 participants and thought-leader presenters, making it the largest and most successful Amphion event since it was founded in 2011. Event organizers believe that by fostering a World Economic Forum-type environment, where big thinkers can share ideas for some of the most pressing issues facing the global device infrastructure, safer medical electronics, increased energy security and more secure industrial automation.
Posted on Dec 12, 2012
Reviews
|
Share
|
Digg
Filed in:
Security
Related Entries
•
Vertex Telecom Selects RedShift Networks as the VOIP/SIP Security Solution for Enterprise and Wholesale Customers
•
netTALK Announces Free Advanced Privacy Features Added to its DUO VoIP Devices
•
Sangoma Enhances IP Security Offering with SBC Release
•
VoIP Fraud Could Kill Your Company - FraudStopper Kills the Fraud
•
VoIP Supply Adds Grandstream IP Surveillance Line
•
Cellcrypt Launches Encrypted Voice Calling for Android Smartphones
All comments require the approval of the site owner before being displayed.
Post a Comment
Please use a valid e-mail address. Your address will not be publicly visible and is only a means for us to contact you when asked. Thank you.
Name
E-mail
(will show your
gravatar
icon)
Home page
Remember Me
Comment (Some html is allowed:
)
Enter the code shown (prevents robots):
All brand, company, and product names are trademarks or registered trademarks of their
respective owners. © 2012 VoIP Monitor. All rights reserved.
Privacy Policy
Terms
SUBSCRIBE
Subscribe to our RSS feed
Bookmark VoIPMonitor.net
Subscribe to our newsletter via email
News Categories
Asterisk
Bluetooth Headsets
E911
General
Hardware
Investments
iPad
iPhone
Mergers and Acquisitions
Mobile VoIP
Offbeat News
Security
SIP
VoIP Advice
VoIP Awards
VoIP Bloggers
VoIP Books
VoIP by Region
Africa
Asia
Australia
Europe
Middle East
North America
South America
VoIP Events
VoIP Jobs
VoIP Products
VoIP Promotions
VoIP Providers
ATT
Fusion
Google Talk
Lingo
MCI
MSN Messenger
Net2Phone
Packet8
Phone Power
Pingo
Qwest
RingCentral
SBC
Skype
SunRocket
Verizon
ViaTalk
Vonage
Yahoo Messenger
VoIP Reports
VoIP Software
VoIP Solutions
VoIP Wireless
WiFi
VoIP Information
Tom Keating
Alec Saunders
Andy Abramson
Garrett Smith
Jeff Pulver
Om Malik
Thoughts on VoIP
Solomon's VoIP World
VoIP Weblog
VoIP Guide
Archives
May, 2013 (2)
December, 2012 (3)
November, 2012 (7)
October, 2012 (19)
September, 2012 (5)
August, 2012 (10)
July, 2012 (24)
June, 2012 (18)
May, 2012 (28)
April, 2012 (20)
March, 2012 (16)
February, 2012 (12)
January, 2012 (12)
November, 2011 (21)
October, 2011 (28)
September, 2011 (23)
August, 2011 (26)
July, 2011 (26)
June, 2011 (38)
May, 2011 (59)
April, 2011 (49)
March, 2011 (67)
February, 2011 (68)
January, 2011 (54)
December, 2010 (45)
November, 2010 (43)
October, 2010 (47)
September, 2010 (43)
August, 2010 (32)
July, 2010 (28)
June, 2010 (39)
May, 2010 (46)
April, 2010 (36)
March, 2010 (52)
February, 2010 (45)
January, 2010 (44)
December, 2009 (41)
November, 2009 (46)
October, 2009 (54)
September, 2009 (58)
August, 2009 (29)
July, 2009 (36)
June, 2009 (32)
May, 2009 (32)
April, 2009 (13)
March, 2009 (47)
February, 2009 (37)
January, 2009 (53)
December, 2008 (44)
November, 2008 (56)
October, 2008 (51)
September, 2008 (50)
August, 2008 (41)
July, 2008 (50)
June, 2008 (52)
May, 2008 (53)
April, 2008 (64)
March, 2008 (59)
February, 2008 (53)
January, 2008 (65)
December, 2007 (39)
November, 2007 (33)
October, 2007 (65)
September, 2007 (29)
August, 2007 (52)
July, 2007 (49)
June, 2007 (59)
May, 2007 (64)
April, 2007 (43)
March, 2007 (66)
February, 2007 (100)
January, 2007 (108)
December, 2006 (86)
November, 2006 (100)
October, 2006 (86)
September, 2006 (55)
August, 2006 (31)
July, 2006 (76)
June, 2006 (79)
May, 2006 (87)
April, 2006 (45)
March, 2006 (55)
February, 2006 (55)
January, 2006 (56)
December, 2005 (53)
November, 2005 (61)
October, 2005 (13)
September, 2005 (42)
August, 2005 (57)
April, 2005 (57)
March, 2005 (21)
February, 2005 (15)