[ISN] Intercept Threats of Cisco IP Phones

From: InfoSec News (isn@private)
Date: Tue Nov 16 2004 - 05:35:30 PST


http://cryptome.org/cisco-holes.htm

Thanks to A. 
14 November 2004

In the SIP images of Cisco 7960/7940 (and perhaps 7970/7980) phones,
there is a "telnet" option which can be enabled.  In the highest
access mode of this interface, it is possible to activate a "test
keys" mode, which would allow an external party to make calls to
remote (external) destinations without the local user hearing any
indication that the phone had been placed into "remote intercom" mode.  
The test key mode allows a telnet user to simulate the exact
keystrokes of a local user.

Additionally, there is a feature called "auto-answer" which can be
activated on a single line, meaning that whatever SIP username is
associated with that line will also achieve an auto-answer (on
speakerphone, if available) for that line.  This also can be used as a
remote area surveillance system.  (Example: in our office, I have a
special extension which calls all phones across the entire office and
muxes them back into a single conference bridge, so that I can listen
to the entire office at night to see if there is anything amiss (fan
noises, UPS signalling, fire alarms, voices.))

Both variations create a bright green LED to light up on the deskset,
and also the LCD screen shows the status of the "call" in progress, so
there is some external indication that something is happening.

Cisco has made some progress in ensuring that "pirate" versions of
code for the phones is not easily developed and uploaded; updated
versions need to be cryptographically signed before the phone will
upload them (exact methods unknown) which to some degree mitigates
threat from versions which have no physical indications, though
anything is possible with enough budget and brainpower.

Both of these "features" are available currently on the SIP images and
present different threat situations for voice surveillance.

I don't know if they're also available in the SCCP or H.323 versions
of the code.  Both are exceedingly dangerous, and telnet mode should
never be enabled in an insecure (or even secure) environment.

The intercom feature is also an issue, since there is no reverse
authentication from the Cisco phones (another major failing inmy
opinion of Cisco's SIP practical implementation strategy.)



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Tue Nov 16 2004 - 08:07:32 PST