Dawn is breaking over last day of the annual Chaos Communication
Congress in Hamburg, Germany. CCC is the meeting of the Chaos Computer
Club (also CCC), a group of German hackers hanging out together
since 1981. Congress (as it is also known) is one of the great
gatherings of tribes in the hacker world -- which, in the time it has
existed, has gone from being a tiny, sometimes gothy and mathematically
inclined subculture to being a big, elitist community whose work,
values, and aesthetics touch the lives of billions of people. CCC has
grown and flowered with the community.
Here's a video of Ang Cui and Michael Costello's Hacking Cisco Phones talk at the 29th Chaos Communications Congress in BerlinHamburg. Cui gave a show-stealing talk last year on hacking HP printers, showing that he could turn your printer into a inside-the-firewall spy that systematically breaks vulnerable machines on your network, just by getting you to print out a document.
Cui's HP talk showed how HP had relied upon the idea that no one would ever want to hack a printer as its primary security. With Cisco, he's looking at a device that was designed with security in mind. The means by which he broke the phone's security is much more clever, and makes a fascinating case-study into the cat-and-mouse of system security.
Even more interesting is the discussion of what happened when Cui disclosed to Cisco, and how Cisco flubbed the patch they released to keep his exploit from working, and the social issues around convincing people that phones matter.
We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.
We present the hardware and software reverse-engineering process which led to the discovery of the vulnerabilities described below. We also present methods of exploiting the following vulnerabilities remotely.