On 24 March 2015 at 15:22, Jim Van Meggelen <[email protected]> wrote:
> > http://www.itnews.com.au/News/401928,cisco-confirms-ip-phone-eavesdropping-flaw.aspx > Hi Jim, I can understand them ranking it lower than "Critical" because of their assumption that these are business devices and should be behind a firewall of some kind, but I agree that I was surprised to see the low designation of "Harassment." Being able to intercept audio and execute arbitrary code isn't just a nuisance. The opportunity to spearfish is pretty big. I know people should have 802.11x and vlans but I'd imagine that if I showed up at many offices and asked to give a 5 minute presentation on some cost saving measure, I'd be received in the board room at plenty of places and I'd have an opportunity to jack into a LAN port. From there I'd have a decent chance to detecting some SPA devices with a quick scan of the subnet. That's only to mention one of many, many possible attack vectors. I was curious so I hit up ShodanHQ without even knowing what the header was. Helpfully, Cisco made it the model of the phone so anyone can go to this URL and see that there are almost 1500 Cisco 525g2s with their web interface exposed to the public Internet. It's a one stop shop, you can also get the IPs. What's more surprising to me is that there's no patch. I doubt that many IT departments keep their phones on the bleeding edge of phone firmware anyway but if I did the risk assessment and found that one or two of my devices were high risk, now I don't really have a choice other than to take them offline. Best of luck to anyone on the list who's dealing with this. If you come up with a good solution, I'd be interested to know it. Dave
