Eavesdropping IP Phones
“Landlines” may be on their way to becoming obsolete to the everyday consumer, but there is something it has over its IP counterparts: Security.
Case in point: Cisco’s 7.5.5 small business IP software, which could be tapped by an eavesdropper sending a crafted XML request to the Borg's SPA 300 and 500 IP phones. Potential hackers could use the Shodan search engine to find these vulnerable phones. Persons with these compromised devices should be wary, and lock down their devices.
A Cisco advisory states that “An unauthenticated, remote attacker could exploit this vulnerability to listen to a remote audio stream from an affected device or to gain access to make phone calls remotely," and tells consumers that "The vulnerability is due to improper authentication settings in the default configuration of the affected software."
The breach was discovered by Chris Watts, a Sydney security analyst, and though there is no patch right now, one is currently in development.
One way to potentially thwart an eavesdropping hack is by setting the default of the devices to “off.”
If you are a small business using IP phones and you have any questions or concerns regarding the security of your devices, please feel free to contact Petronella, and we would be more than happy to assist you.