PhotoVoice over Internet Protocol (VoIP) telephones are much more common now, providing an alternative to traditional phone service. But because the system uses the Internet for its voice communications, the technology may have more security vulnerabilities than a traditional telephone system.

Columbia University computer science professor Salvatore Stolfo and PhD candidate Ang Cui says they have found serious vulnerabilities in VoIP telephones made by Cisco. They note these devices are used around the world by a broad range of networked organizations from governments to banks to major corporations.

At a recent conference on the security of connected devices, Cui demonstrated how it is easy to insert malicious code into any of the 14 models of Cisco VoIP phones. Not only can the hacker start eavesdropping on private telephone conversations, the telephone mouthpiece also acts as a microphone when the phone is not in use, allowing the hacker to listen in on what's going on in the room.

Software flaw

According to Cui and Stolfo, the problem stems from the software running on the small computer inside the phone. The software, they say, has many security flaws.

They say they are particularly concerned with embedded systems that are widely used and networked on the Internet, including VoIP phones, routers and printers. And they say the problem is not limited to just one company.

“It’s not just Cisco phones that are at risk,” Stolfo said. “All VoIP phones are particularly problematic since they are everywhere and reveal our private communications. It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones -- they are not secure.”

The professor and his student have proposed a fix, developing a new defensive software called Symbiotes. It's designed to safeguard embedded systems from malicious code injection attacks into these systems, including routers and printers. It can be installed on new systems as well as old systems that are already in place.

Patch called 'ineffective'

Since Stolfo and Cui first made their findings public Cisco has issued a patch for its VoIP systems but Cui said it's ineffective.

“It doesn’t solve the fundamental problems we‘ve pointed out to Cisco,” Cui said. “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”

Consumer use of VoIP services has taken off since 2004. Consumers utilize existing broadband Internet access and can place and receive telephone calls just like they would on a traditional telephone system. Since that time, Vonage has become a major provider of consumer VoIP services.

In recent years corporations have also made the move to VoIP systems because they tend to be much cheaper to operate.

Share your Comments