{"id":247,"date":"2013-01-04T19:32:14","date_gmt":"2013-01-04T19:32:14","guid":{"rendered":""},"modified":"2017-04-19T20:06:35","modified_gmt":"2017-04-19T20:06:35","slug":"hacking-cisco-phones","status":"publish","type":"post","link":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/","title":{"rendered":"Hacking Cisco Phones"},"content":{"rendered":"<section class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_text_separator title_level=&#8221;h1&#8243; title=&#8221;Hacking Cisco Phones&#8221; title_align=&#8221;separator_align_left&#8221; align=&#8221;align_left&#8221; color=&#8221;custom&#8221; border_width=&#8221;2&#8243; accent_color=&#8221;#c99d41&#8243;][vc_column_text]<\/p>\n<div class=\"field_blog_text\">\n<div>\n<p><object height=\"146\" width=\"260\"><param name=\"movie\" value=\"http:\/\/www.youtube.com\/v\/f3zUOZcewtA?version=3&amp;hl=en_US&amp;rel=0\" \/><param name=\"allowFullScreen\" value=\"true\" \/><param name=\"allowscriptaccess\" value=\"always\" \/><embed height=\"146\" src=\"http:\/\/www.youtube.com\/v\/f3zUOZcewtA?version=3&amp;hl=en_US&amp;rel=0\" type=\"application\/x-shockwave-flash\" width=\"260\" \/><\/object><\/p>\n<p>Just because you are paranoid doesn&#8217;t mean your phone isn&#8217;t listening to everything you say&#8230;<\/p>\n<p><span><\/span><br \/>\n<span>We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year&#8217;s presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.<\/span><\/p>\n<p>[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/section>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_text_separator title_level=&#8221;h1&#8243; title=&#8221;Hacking Cisco Phones&#8221; title_align=&#8221;separator_align_left&#8221; align=&#8221;align_left&#8221; color=&#8221;custom&#8221; border_width=&#8221;2&#8243; accent_color=&#8221;#c99d41&#8243;][vc_column_text] Just because you are paranoid doesn&#8217;t mean your phone isn&#8217;t listening to everything you say&#8230; We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year&#8217;s presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0},"categories":[9],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v20.8 (Yoast SEO v20.8) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Hacking Cisco Phones - ERII<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hacking Cisco Phones\" \/>\n<meta property=\"og:description\" content=\"[vc_row][vc_column][vc_text_separator title_level=&#8221;h1&#8243; title=&#8221;Hacking Cisco Phones&#8221; title_align=&#8221;separator_align_left&#8221; align=&#8221;align_left&#8221; color=&#8221;custom&#8221; border_width=&#8221;2&#8243; accent_color=&#8221;#c99d41&#8243;][vc_column_text] Just because you are paranoid doesn&#8217;t mean your phone isn&#8217;t listening to everything you say&#8230; We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year&#8217;s presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/\" \/>\n<meta property=\"og:site_name\" content=\"ERII\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/EspionageResearchInstitute\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-01-04T19:32:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-04-19T20:06:35+00:00\" \/>\n<meta name=\"author\" content=\"jdleasure\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ERIINTL\" \/>\n<meta name=\"twitter:site\" content=\"@ERIINTL\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"jdleasure\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/\",\"url\":\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/\",\"name\":\"Hacking Cisco Phones - ERII\",\"isPartOf\":{\"@id\":\"https:\/\/erii.org\/dev\/#website\"},\"datePublished\":\"2013-01-04T19:32:14+00:00\",\"dateModified\":\"2017-04-19T20:06:35+00:00\",\"author\":{\"@id\":\"https:\/\/erii.org\/dev\/#\/schema\/person\/f7cca9f4ba574a52c8a485850e918c0d\"},\"breadcrumb\":{\"@id\":\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/erii.org\/dev\/hacking-cisco-phones\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/erii.org\/dev\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hacking Cisco Phones\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/erii.org\/dev\/#website\",\"url\":\"https:\/\/erii.org\/dev\/\",\"name\":\"ERII\",\"description\":\"Espionage Research Institute International\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/erii.org\/dev\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/erii.org\/dev\/#\/schema\/person\/f7cca9f4ba574a52c8a485850e918c0d\",\"name\":\"jdleasure\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/erii.org\/dev\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3908f46ef32fbfbaca9850ad774bbd00?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3908f46ef32fbfbaca9850ad774bbd00?s=96&d=mm&r=g\",\"caption\":\"jdleasure\"},\"url\":\"https:\/\/erii.org\/dev\/author\/jdleasure\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Hacking Cisco Phones - ERII","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/","og_locale":"en_US","og_type":"article","og_title":"Hacking Cisco Phones","og_description":"[vc_row][vc_column][vc_text_separator title_level=&#8221;h1&#8243; title=&#8221;Hacking Cisco Phones&#8221; title_align=&#8221;separator_align_left&#8221; align=&#8221;align_left&#8221; color=&#8221;custom&#8221; border_width=&#8221;2&#8243; accent_color=&#8221;#c99d41&#8243;][vc_column_text] Just because you are paranoid doesn&#8217;t mean your phone isn&#8217;t listening to everything you say&#8230; We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year&#8217;s presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers...","og_url":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/","og_site_name":"ERII","article_publisher":"https:\/\/www.facebook.com\/EspionageResearchInstitute\/","article_published_time":"2013-01-04T19:32:14+00:00","article_modified_time":"2017-04-19T20:06:35+00:00","author":"jdleasure","twitter_card":"summary_large_image","twitter_creator":"@ERIINTL","twitter_site":"@ERIINTL","twitter_misc":{"Written by":"jdleasure","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/","url":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/","name":"Hacking Cisco Phones - ERII","isPartOf":{"@id":"https:\/\/erii.org\/dev\/#website"},"datePublished":"2013-01-04T19:32:14+00:00","dateModified":"2017-04-19T20:06:35+00:00","author":{"@id":"https:\/\/erii.org\/dev\/#\/schema\/person\/f7cca9f4ba574a52c8a485850e918c0d"},"breadcrumb":{"@id":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/erii.org\/dev\/hacking-cisco-phones\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/erii.org\/dev\/hacking-cisco-phones\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/erii.org\/dev\/"},{"@type":"ListItem","position":2,"name":"Hacking Cisco Phones"}]},{"@type":"WebSite","@id":"https:\/\/erii.org\/dev\/#website","url":"https:\/\/erii.org\/dev\/","name":"ERII","description":"Espionage Research Institute International","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/erii.org\/dev\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/erii.org\/dev\/#\/schema\/person\/f7cca9f4ba574a52c8a485850e918c0d","name":"jdleasure","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/erii.org\/dev\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3908f46ef32fbfbaca9850ad774bbd00?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3908f46ef32fbfbaca9850ad774bbd00?s=96&d=mm&r=g","caption":"jdleasure"},"url":"https:\/\/erii.org\/dev\/author\/jdleasure\/"}]}},"_links":{"self":[{"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/posts\/247"}],"collection":[{"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/comments?post=247"}],"version-history":[{"count":4,"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/posts\/247\/revisions"}],"predecessor-version":[{"id":2751,"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/posts\/247\/revisions\/2751"}],"wp:attachment":[{"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/media?parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/categories?post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/erii.org\/dev\/wp-json\/wp\/v2\/tags?post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}