Businesses using the popular IP phones sold by Cisco Systems were vulnerable of having their communications tapped and confidential information exposed, according to hacking experts. They said the default settings in the internet phones allow them to be turned into remote bugging devices that can intercept confidential communications.
Chris Gatford, director of the Sydney penetration tester HackLabs, established that the internet-protocol phone systems from market leader Cisco were at risk to attacks that were widely known. He said VoIP phone systems could turn on their users, hacked to become networked listening devices. He demonstrated how phone conversations can be remotely wiretapped or silenced - and also be illicitly recorded, injected with sound or redirected. He also said some of his customers lost US$20,000 a day through such exploits, which also included attacks that forced the devices to make calls to premium phone numbers.
Gatford said that such attacks on IP telephony business systems closely mimic so many Hollywood movie scenes. “You can imagine if you are an employee who wants to listen in on your boss during a meeting, that the phone in the conference room will be a target.”
Hackers can also launch a distributed denial-of-service attack which could take a phone system offline, said Gatford, who had seen such attacks cripple networks at Australian companies. The vulnerabilities come from Cisco's dependence on web functions that gave users more features at the cost of easier penetration for hackers.
He said most businesses usually only fixed their VoIP networks once they were hacked. "When network security is considered, a crucial area to always assess is risks,” Gatford said.
However HackLabs penetration tester Peter Wesley added that network systems administrators are also to blame because they neglected to read security manuals before running the phone systems. The security consultants said the underlying weaknesses, present in the default settings, can only be fixed by making modifications to the phones' configuration settings. They said the thick manual that is included with the phones recommends switching off web services. But Wesley lamented, “Who's going to read all that?”
A spokesman for Cisco stated that their company is serious about security and advised users to follow the recommendations in the manual to protect their systems. There was no explanation, however, why Cisco did not distribute the phones with features disabled and instead allow users who have a specific need to switch it on themselves.