March 24, 2015 By Douglas Bonderud 2 min read

Cisco may want to cover its ears; concerned businesses will likely have a lot to say after it was revealed that the technology firm’s IP phones are vulnerable to remote eavesdropping. As reported by Threatpost, the issue was found by Chris Watts, an Australian technology researcher. While Cisco says it is working on a new firmware version to fix the problem, what is the risk to companies using these mobile devices in the meantime?

Hear No Evil?

According to an advisory from Cisco, “A vulnerability in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones could allow an unauthenticated, remote attacker to listen to the audio stream of an IP phone.”

The problem stems from an issue with authentication settings in the phone’s default configuration, allowing attackers to send a malicious XML request to these devices. In turn, this grants remote access to audio streams and the ability to make phone calls remotely.

This sounds scary, especially since the Version 7.5.5 firmware for Cisco Small Business SPA500 IP phones doesn’t yet have a fix. However, the company says there is a silver lining, since privileged access might be required to exploit the bug at any stage.

“An attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests,” Cisco noted. The word “may” is worrisome, since it implies that in some cases, high-level access might not be mandatory. It is also worth noting that another bug was discovered in both the SPA300 and 500 series phones, allowing malicious actors to carry out cross-site scripting attacks.

Speak No Evil?

This isn’t the first instance of eavesdropping in recent months. As noted by Digital Trends, several SIM card manufacturers reported in February that the National Security Agency had tried — and supposedly failed — to hack these ID cards to gain access to millions of consumer phones. And, in an even stranger case, Mashable reports Mattel’s new Hello Barbie toy is coming under fire because it eavesdrops on children by listening to what they say and then sends this data to a cloud server, where it is ostensibly used to prompt better responses from the doll. Some security experts say the toy is a privacy violation because there is no guarantee this data will be used ethically.

Companies and citizens alike don’t enjoy having their conversations tapped, even if the likelihood is slim or there are assurances the data will be safeguarded. Cisco’s vulnerability came at a critical time, since businesses are looking for ways to lock down private interactions and ensure any technology they use comes with the best protection possible. Even if the risk is slim, the fact that IP phones are now under threat of eavesdropping is hard for companies to hear.

More from

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today