The many benefits of IP communications stem from the fact that voice becomes just another application on the data network. It’s important to remember, however, that IP phone systems are subject to many of the same security threats as other network resources. That threat was driven home last week when NBC News reported that certain Cisco IP phones can be hacked.
The security flaw was discovered by Columbia University researchers working on a grant from the Defense Advanced Research Projects Agency (DARPA), an arm of the U.S. Department of Defense. Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo showed NBC News how a small device plugged into a port on a Cisco phone could rewrite the phone’s software within seconds, allowing them to remotely control the phone from any Internet connection. They could, for example, turn on the phone’s microphone without illuminating the associated LED light, enabling them to eavesdrop without being detected.
In a statement, Cisco acknowledged the vulnerability and indicated that the company is working on a fix. In a vulnerability announcement sent to customers in December, Cisco said 15 phone models were affected by the security flaw.
Cui pointed out that the IP phones are, in fact, computers that run a proprietary version of the Unix operating system. The phones routinely connect to the phone system’s server looking for updated instructions, leaving them open to attack by a hacker. Stolfo said that the hacker would need physical access to just one phone on the network to control the entire system, or could potentially gain remote access through malware or by attacking the network itself.
The implications of this security threat are certainly troubling. It is difficult to imagine the damage that might result if the phone of the CEO, CFO, in-house counsel or other key personnel were compromised.
At IPC, we take the security of our customers’ phone systems very seriously. When this story broke we contacted the developers at ShoreTel to determine if our customers might be vulnerable to this attack. They assured us that they have studied the techniques used by the researchers and determined that ShoreTel phones use different technologies that are not subject to this security threat.
That’s not to imply that ShoreTel is taking it easy. ShoreTel is committed to a rigorous process of evaluating the security of its entire product line, including its portfolio of IP phones.
Eavesdropping isn’t the only security risk associated with IP phone systems. Hackers could also gain access to sensitive business information by attacking voice mail, and toll fraud is a global business run by phone pirates. If you are concerned about any of these threats, we encourage you to contact us. We will work with you closely to ensure that your security requirements are met throughout the evaluation, implementation and ongoing support of your ShoreTel IP communications system.