Cisco's internet phones — which sit on thousands of desks around the world — have been shown to be easily hacked and turned into remote spying devices. The official announcement comes two whole weeks after Cisco first found out about the problem.
The exploit was discovered by Ang Cui and Salvatore Solfo, a pair of computer scientists from Columbia University's engineering department. They presented the finding at the 29th Chaos Communication Congress in late December. By attaching a small device to the local serial port on the phone, they were able to inject code that gave them complete control over the device — allowing them to remotely monitor phone calls and turn on the phone's microphone to eavesdrop on conversations happening near the phone. In a statement, Cisco explained:
"Cisco recognises that while a number of network, device, and configuration based mitigations exist, there is no way to mitigate the physical attack vector on the affected devices. To this end, Cisco will conduct a phased remediation approach and will be releasing an intermediate Engineering Special software release for affected devices to mitigate known attack vectors for the vulnerability documented in this advisory."
The networking company will roll out a software patch later this month to remedy the problem, which currently affects a number of models in the CiscoUnified IP Phone 7900 series. Until then, be careful what you say while sat at your desk. [Cisco, Ars Technica]