Your Cisco phone is listening to you: 29C3 talk on breaking Cisco phones

Here's a video of Ang Cui and Michael Costello's Hacking Cisco Phones talk at the 29th Chaos Communications Congress in Berlin Hamburg. Cui gave a show-stealing talk last year on hacking HP printers, showing that he could turn your printer into a inside-the-firewall spy that systematically breaks vulnerable machines on your network, just by getting you to print out a document.

Cui's HP talk showed how HP had relied upon the idea that no one would ever want to hack a printer as its primary security. With Cisco, he's looking at a device that was designed with security in mind. The means by which he broke the phone's security is much more clever, and makes a fascinating case-study into the cat-and-mouse of system security.

Even more interesting is the discussion of what happened when Cui disclosed to Cisco, and how Cisco flubbed the patch they released to keep his exploit from working, and the social issues around convincing people that phones matter.

We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.

We present the hardware and software reverse-engineering process which led to the discovery of the vulnerabilities described below. We also present methods of exploiting the following vulnerabilities remotely.

Hacking Cisco Phones [29C3] (Thanks, Ang!)


  1. The official mirrors/torrents for videos of all the talks for the 29C3 sessions as they get processed and uploaded are here:
    They were running a live-stream during the conference, but it was at inconvenient times for the U.S. and some of the things I wanted to watch overlapped, so I just waited for the good copies to go up and am watching now. The Chaos Communication Congress talks tend to be some of the best tech presentations that make it to the ‘net, I’ve never managed to come up with an excuse to end up in Germany for it, but I have ended up watching most of the sessions online after the fact each year. 

    1. Just remember, this is the expensive, classy, ‘enterprise’, secure product… Odds are good that the goods don’t exactly improve elsewhere in the market.

      1. “Nobody ever got fired for buying Cisco”. Do Cisco phones get bought because they beat the competition in a real evaluation, or because the CxO said “I met with the Cisco sales rep and he had a really swank suit; give them all our money”?

        1. If the competition was Polycom then it’s not hard to beat in any evaluation. Sad reality is that standards are low in this market, and this is driven by customers being primarily interested in price – what corporate purchasers want is a cheap, bad phone that covers all the things on their “essential features” list. I know a lot of engineers who would love to build better endpoints. Nobody would buy them.

          (My opinions here are my own and not those of my employer, Cisco Systems. I don’t work in a part of the company that does phones.)

  2. One thing that I was a little unclear on, why wasn’t the console which gave them access password protected?

    1. It was. However, the default user account(which isn’t privileged; but which is enough to launch their privilege escalation exploit) is identical across all phones, so obtaining a password that would work reliably during an automated attack wasn’t terribly difficult.

      (And, in an ironic touch, the file checksumming security system prevents tampering with /etc/passwd, so even an alert operator cannot disable the account or change its password, the phone will just detect the tampering and revert the file…)

  3. Wry smiles all round when the slides that detailed the Cisco TAC responsiveness to their own bugs came up. Fancy that!

    Schadenfreude all round and I trust one or two people there will be butthurt after xmas

Comments are closed.