And once a Cisco IP phone is hacked, it can infect other phones on the same network and attack computers and other attached devices, the scientists found. They reported their findings to Cisco in October and the company is developing a patch. But it's still unclear how many phones are still vulnerable, IEEE Spectrum reported.
According to one of the scientists: "We could turn a phone into a walkie-talkie that was always on by rewriting its software with 900 bytes of code. Within 10 minutes, it could then go on to compromise every other phone on its network so that you could hear everything."
The vulnerabilities were found in the phones' Unix-based operating system kernel, according to IEEE Spectrum. The Columbia researchers developed a Bluetooth-enable device to attack the phone via physical connection but they also say the phones could be remotely compromised as well. They plan to demonstrate this vulnerability at a conference in Germany two days after Christmas.
Cisco IP phones vulnerable to eavesdropping
Posted on Friday, Dec 28 2012 @ 16:36 CET by Thomas De Maesschalck