Cisco confirms IP phone eavesdropping flaw

Cisco's small business SPA300 and SPA500 internet protocol (IP) phones contain a vulnerability that if exploited, allows attackers to remotely listen in on audio from the devices.

Cisco SPA300 devices. Source: vendor

The vulnerability was discovered by Chris Watts, director of Tech Analysis in Sydney, along with two others.

Watts and Tech Analysis were tasked with finding security vulnerabilites in the Cisco Shared Port Adapter internet protocol hardware and software, and were to report any findings to the company.

Three vulnerabilities were discovered in the audit, and named CVE-2015-0670, CVE-2014-3313 and CVE-2014-3312.

Watts told iTnews CVE-2015-0670 was severe.

"An attacker could exploit this vulnerability and remotely turn on a phone’s microphone and eavesdrop from anywhere in the world," Watts said.

This included being able to hear not just the phone conversations, but sounds in the device's surroundings - all without victims noticing the interception is taking place.

"Imagine the phone in your office or boardroom streaming conversations to your competitors," Watts said.

Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5.

An attacker can send a specially crafted Extensible Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams.

Successful exploits could be used to conduct further attacks, Cisco warned.

Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low "harassment" severity rating.

In its analysis of the flaw, Cisco said attackers may need access to trusted, internal networks behind a firewall to send the specially crafted XML requests to targeted devices. This requirement may reduce the likelihood of a successful exploit, Cisco said.

The company said there are no software updates available to fix the issue.

While Watts is not aware of any cases of where CVE-2015-0670 has been exploited, he said an attacker could use the Shodan device search engine to find internet-facing SPA phones.

He suggested administrators make sure that no phones are directly connected to the internet in order to mitigate against the vulnerability.

The CVE-2014-3313 vulnerability that Watts reported to Cisco allows users to elevate privileges through cross-site scripting, and change the admin password on the device.

On SPA firmware version 7.5.5 and earlier, it's also possible for users to execute arbitrary code or to modify arbitrary memory with elevated privileges, as Watts discovered with the CVE-2014-3312 vulnerability.

Update: Cisco has advised that it now intends to patch the security flaw.

"I can confirm that Cisco is working on a patch and will provide it for our customers," Cisco senior manager for business critical communications Nigel Glennie told iTnews.

Glennie did not provide a release date for the patch, but told iTnews it would be available from the same security advisory as before.