CREEPS rejoice: Small biz Cisco phones open to eavesdrop 0-day

Creeps can listen in to conversations placed over vulnerable Cisco small business phones.

Remote eavesdropping requires a crafted XML request be sent to the Borg's SPA 300 and 500 IP phones.

Cisco warns version 7.5.5 of the software powering the phones is vulnerable, possibly along with more recent iterations.

"An unauthenticated, remote attacker could exploit this vulnerability to listen to a remote audio stream from an affected device or to gain access to make phone calls remotely," it says in an advisory.

"A successful exploit could be used to conduct further attacks.

"The vulnerability is due to improper authentication settings in the default configuration of the affected software."

Attackers could potentially find exposed phones using the popular Shodan search engine, placing emphasis on the need for a system administrators to lock down devices.

Cisco doesn't have a patch for the problem, but says admins should enable XML execution authentication and allow only trusted users to have network access. Other IP-based access control lists could help too, Cisco says.

Sydney security bod Chris Watts discovered the trio of flaws (CVE-2015-0670, CVE-2014-3312, CVE-2014-3313) but left it to AusCERT and Cisco to alert the public.

He says a patch is inbound.

IP phones are easy cannon fodder for hackers. Many of the attacks are possible due to the heavy feature set the devices contain that are more often than not turned on by default.

Hackers say switching the default status to off would go far to reducing the IP phone attack surface. Many high end models have been turned into remote listening devices allowing, among other attacks, a nice way for bad guys to eavesdrop on boardroom meetings.

Denial of service attacks against IP phones are also possible in hacks that place call centres at greatest risk. ®