Hack Turns the Cisco Phone on Your Desk into a Remote Bugging Device

Internet phones sold by Cisco Systems are vulnerable to stealthy hacks that turn them into remote bugging devices that eavesdrop on private calls and nearby conversations.

The networking giant warned of the vulnerability on Wednesday, almost two weeks after a security expert demonstrated how people with physical access to the phones could cause them to execute malicious code. Cisco plans to release a stop-gap software patch later this month for the weakness, which affects several models in the CiscoUnified IP Phone 7900 series. The vulnerability can also be exploited remotely over corporate networks, although Cisco has issued workarounds to make those hacks more difficult.

“Cisco recognizes that while a number of network, device, and configuration based mitigations exist, there is no way to mitigate the physical attack vector on the affected devices,” the company’s advisory stated. “To this end, Cisco will conduct a phased remediation approach and will be releasing an intermediate Engineering Special software release for affected devices to mitigate known attack vectors for the vulnerability documented in this advisory.”

The vulnerability is the latest reminder of privacy threat posed by today’s phones, computers, smartphones, and other network-connected devices. Because the devices run on software that’s susceptible to hacking, they can often surreptitiously be turned into listening, and sometimes spying vehicles that capture our business secrets or most intimate moments.

The vulnerability in Cisco phones was discovered by Ang Cui and Salvatore Solfo, a doctoral candidate and a computer science professor, respectively, in Columbia University’s engineering department. In a talk titled “Just because you are paranoid doesn’t mean your phone isn’t listening to everything you say” and presented at the 29th Chaos Communication Congress, Cui demonstrated a device that connects to the local serial port of a Cisco phone. Once attached, it injects attack code that gives the attacker control over the devices.

Among other things, the hack allows attackers to monitor phone calls and to turn on the phone’s microphone in order to eavesdrop on conversations within earshot and stream them over the network.

Cui demonstrated the vulnerability earlier in December. Cisco issued a patch around the same time, but in his later demonstration, Cui said it was ineffective. Cisco responded with Wednesday’s advisory, pledging to rewrite the underlying firmware to “fully mitigate the underlying root cause” of the vulnerability. The advisory said that would happen in the next few months but wasn’t more specific.

Cui’s hack works by overwriting portions of the user or kernel space in the phone’s memory. That allows him to gain root access to the phone’s Unix-like firmware system and take control of the digital signal processor and other key functions.

While the hack requires physical access to the phone, it would still be possible for janitors, colleagues, or other trusted insiders to carry out the attack. Once done, a phone exhibits few indications that it has been compromised. It’s not uncommon for security-conscious people to place masking tape over the video camera of their computers to prevent drive-by attacks that turn them on. Thwarting attacks that turn phones into bugging devices will be harder, since the phones can’t be unplugged during calls. Welcome to the world of network-connected devices.

Youtube video demonstrating hack can be found Here.

Source: Ars Technica


Nokia Admits Decrypting User Data But Denies Man-in-the-Middle Attacks

Nokia has rejected claims it might be spying on users’ encrypted Internet traffic, but admitted it is intercepting and temporarily decrypting HTTPS connections for the benefit of customers.

A security professional alleged Nokia was carrying out so-called man-in-the-middle attacks on its own users. Gaurang Pandya, currently infrastructure security architect at Unisys Global Services India, said in December he saw traffic being diverted from his Nokia Asha phone through to Nokia-owned proxy servers.

Pandya wanted to know if SSL-protected traffic was being diverted through Nokia servers too. Yesterday, in a blog post, Pandya said Nokia was intercepting HTTPS traffic and could have been snooping on users’ content, as he had determined by looking at DNS requests and SSL certificates using Nokia’s mobile browser.

Nokia: We’re not doing man-in-the-middle attacks

“When checked, the DNS request was sent for ‘cloud13.browser.ovi.com’ which is same host where we had seen even HTTP traffic being sent,” he wrote.

“It is evident  … that even HTTPS requests are also getting redirected to Nokia/Ovi servers, which raises a question about [the] certificate that [is] being received from Nokia’s servers and [the] trusted list of certificates in Nokia [phones].

Having checked the trusted certificates list in the phone, the researcher found Nokia had pre-configured the device to trust certificates sent from its servers. “Which is the reason why there are no security alerts being shown during this man-in-the-middle attack by Nokia,” he added.

“From the tests that were preformed, it is evident that Nokia is performing man-in-the-middle attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”

Nokia said it was diverting user connections through its own proxy servers as part of the traffic compression feature of its browser, designed to make services speedier. It was not looking at any encrypted content, even though it did temporarily decrypt some information. This could still be defined as a man-in-the-middle attack, although Nokia says no data is being viewed by its staff.

“The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans,” a spokesperson said, in an email sent to TechWeekEurope.

“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.”

“Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”

Nokia said it would review the information provided in the mobile client “in case this can be improved”.

Other browser makers do compression using their own servers – Opera, for instance, is vocal about it.

Source: TechWeekEurope

Game Boy Repurposed as an Android Gamepad

Many of us whiled away untold hours of our youth mashing the D-pad, A and B buttons of the original Game Boy, which is why we’ve seen many hacks using its iconic hardware. Gaming on mobile touchscreens isn’t nearly so tactilely pleasing as that portable, however, so nostalgic modder Chad Boughton decided to swap out his GB’s dot-matrix display for the Super AMOLED of a Galaxy Nexus.

He first removed the screen and trimmed the chassis so that a GNex case could be bolted flush with the rest of the body. The more involved part of the mod, however, was getting the buttons to work wirelessly with the phone. To accomplish the trick, he trimmed the Game Boy’s circuit board to make room for the guts of a Wiimote, which he then connected to the buttons. From there, he installed the Wii Controller IME app to get the GB talking with the phone, and presto! One of the coolest Android gamepads we’ve seen was born. You can see how it works in the video after the break, and there’s a slew of shots showing the mod in progress at the source below.

Youtube video demonstration is Here.

Via: Engadget