Two zero-day vulnerabilities in Avaya’s latest one-X 9608 IP telephones have been discovered and are expected to be patched on Friday by Avaya as per two security researchers, Ang Cui and Salvatore Stalfo. Both the vulnerability make it very easy for any attacker/hacker to turn the IP Phone into a listening post.
Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, demonstrated one of the exploits and provided details on the previously unreported vulnerabilities during a presentation, also on Friday at RSA Conference 2014.
Cui and Stolfo presented similar VoIP vulnerabilities found within the Cisco 7900 series phones at the Amphion Forum San Francisco in 2012. For that attack one first needed to physically attach a dongle to the phone. Once compromised, the phone would then eavesdrop on conversations within the room, even when the phone was not off the hook.
However this new attack is even more deadlier as it doesnt require any outside hardware. For this new attack, the pair said they could remotely compromise devices as well as other devices on the corporate network. Cui described the exploitation of one of the Avaya vulnerabilities as simple, almost trivial.
“I can fit the entire attack information on a Post-It note,” he said. “The barrier to entry here is very, very low. So the probability that no one has found this vulnerability in my opinion is very low, right. But we’re the very first people to have actually publicized this one. In my mind it’s entirely plausible that someone has exploited this vulnerability before.”
Cui said he’s found a way for any device to broadcast data in a surreptitious way. “We came up with this technique that essentially turns a very standard PC circuit boards that you find in all kinds of embedded devices into improvised radio transmitters,” he said. “So I’m not using the wireless chip set, I’m not using anything that’s meant to be an RF transmitter. I’m using code, software that basically forces the existing circuit board to act like an ad hoc transmitter. And this is something that an attacker can use to transmit a signal out the window, for example, and sneak all sorts of sources of data out. It’s very difficult to detect at the moment.”
Cui said he’s been disclosing details of the vulnerability to the vendor and not the public. Avaya has confirmed that Cui and Stolfo have been in contact and Avaya would release a patch, “We are aware of the issue and committed to delivering a fix no later than March 1, 2014.”