A common brand of office desktop telephone may have severe security issues that could let hackers listen to conversations, make secret calls and hijack the telephone, two researchers revealed today (June 5).
Furthermore, because many office PCs route network cables through desktop telephones, the phone vulnerabilities could let hackers steal data from workplace computers or even stage man-in-the-middle attacks.
If you work in a modern office, that telephone on your desk probably isn't a regular phone, but an Internet Protocol phone that uses modern computer-networking technology instead of an older switchboard system to route calls. Your company's IT department, in order to keep things neat and clean, may have even connected your PC's Ethernet cable to the phone, and the phone to the network jack in the wall.
That's a recipe for disaster, according to researchers Brandon "Dr. Raid" Edwards and Ben "Bnull" Nell, who outlined the vulnerabilities in a well-known brand of desktop IP phone in a presentation entitled "Scorched Earth: Attacking Office Telecommunications for Petty Vengeance" at the Summercon 2014 security conference in New York.
The pair discovered the flaws after Edwards decided to hack a desktop phone to stage a workplace prank on one of his co-workers. He recounted that he and Nell bought an identical model on eBay, plugged a laptop into it, reverse-engineered the embedded operating system and found a nearly endless supply of elementary security flaws.
Nearly every command, they explained between onstage sips of beer, was vulnerable to a buffer overflow, in which too much data overwhelms the system and causes an error that can be exploited. The default administrative password was "1234," and, even worse, could be reset without entering a password at all.
There were so many self-evident flaws that the software essentially laid out a "breadcrumb trail of variables to the bugs," Nell said.
Once they'd figured out how to send commands from a PC to the phone, Edwards and Nell said they could remotely initiate and terminate telephone calls, modify the time setting, play strange sounds, load random images onto the phone's LCD display, connect the phone to a Web server and even initiate file transfers.
The only thing they had trouble with was remotely changing the ringtone — because another software flaw made it impossible.
"It's security by obscurity — hiding a memory corruption behind another memory corruption," Nell said.
Edwards and Nell wouldn't name the brand of office desktop phone they worked on, but did say that it was a major brand — and that it used 11-year-old software previously known to be buggy.
As for the prank on Edwards' co-worker that initiated the entire process of discovery, it's still on hold.