Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Call Interception Demonstrated On New Cisco Phones

Soulskill posted more than 3 years ago | from the can-you-hear-me-now dept.

Privacy 90

mask.of.sanity writes "Researchers have demonstrated a series of exploits that turn Cisco IP phones into listening bugs, and could allow a denial of service attack capable of silencing a call center. It allows internal staff and competitors with a little publicly-available information to hijack the phones, wiretap calls and eavesdrop on confidential meetings. The attacks work through a sequence of exploits against the latest Cisco phones enabled to run off the shelf. Most people are vulnerable, the researchers say, because they do not harden their systems in line with recommended security requirements."

cancel ×

90 comments

Enterprise Systems (1)

Anonymous Coward | more than 3 years ago | (#36117460)

Do we need any more evidence that 'enterprise level' is nothing more than a euphemism for 'poorly understood clusterfuck' ?

Re:Enterprise Systems (5, Funny)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36117566)

Your ill-understood slander of Enterprise Solutions will not be tolerated.

Any two-bit neckbeard with a sourceforge account can create a "poorly understood clusterfuck."

However, only by leveraging the organizational synergies of a corporation committed to customer-centric excellence across multiple value centers is it possible to create a "poorly understood clusterfuck" backed by overpriced consultants, soporific slide decks, documentation that addresses the hypothetical case of a 50,000 seat installation across hundreds of multinational satellite sites; but fails to have any useful information on why some critical service leaks memory and needs to be restarted every 18 hours, a custom set of Vizio(tm) objects that allows middle managers and Certified Solution Architects to emulate understanding of the system with impressive graphical flourishes, and a mandatory "maintenance contract" that makes you eligible to pay a per-incident fee to have some poor dude in Hyderabad read a script at you.

Freetards, they just don't understand the value of good commercial Solutions.

Re:Enterprise Systems (1)

Zerth (26112) | more than 3 years ago | (#36117776)

It'd be awesome if companies would just put the script they give the guys in Hyderabad on the web so I can read through it myself.

That would help me avoid calling, as well as plan my responses when I do call to minimize the time to reach somebody who has actually used the product.

Re:Enterprise Systems (0)

Anonymous Coward | more than 3 years ago | (#36124910)

..., as well as plan my responses when I do call to minimize the time to reach somebody who has actually used the product.

As one of the 'poor dudes in Hyderabad'....I agree.
They are basically using people as TTS engines, rather than as knowledgeable professionals. This is, in part, due to the view that standardization is necessary in support interactions. Solution? Give everyone the same script!
The other reason is that most companies can't be bothered with giving employees hands-on experience with the products they support (with the notable exception of Dell). Why? Because with the script that was created for standardization, actual knowledge is purely optional!

And that is why the "Indian Call Center" experience is as bad as it is.

Re:Enterprise Systems (3, Funny)

Sarten-X (1102295) | more than 3 years ago | (#36117808)

Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

...

Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

...

Shenk you far callink Eenterprice Grummar Solootions. Moy nam is "Jason". How cane I be helpink you today?

I see you are havink a service agreement with us. Zees ees very good. I will be transferrink you now to "second-tier support". Thank you for callink us today. Goodbye.

...

Thank you for calling Enterprise Grammar Solutions. Your business is important to us. We understand that you have a choice of grammar Nazis, and we thank you for choosing to read our post. All of our operators are busy at the moment, so please remain on the line until a qualified operator is available to assist you.

...

Entaprise Gramma Solutions. This is Bob. What can I do for ya?

All-righty. Ye've got yerself a nice little post there. Now, that there semicolon in your third paragraph should be a comma. That's it. Now, according to this here agreement, you'll be billed $99.95 for this call. Thanks for callin'.

Re:Enterprise Systems (1)

chefmonkey (140671) | more than 3 years ago | (#36118710)

That's not tier 2 support! That's straight off the "reboot your paragraph" script they give to the first-line flunkies. From http://www.hamilton.edu/writing/writing-resources/common-writing-mistakes [hamilton.edu] --

As a strong comma, [the semicolon] can be used to provide strong separation of two independent clauses with a coordinating conjunction (normally, a comma provides this separation) or to separate a series of phrases or clauses with internal commas.

(emphasis mine).

The clause preceding the semicolon has a number of internal commas. The use of a semicolon serves to make it clear that the following words are not part of the list of things by which the clusterfuck is backed.

"Proper" English grammar is a lot more nuanced (and regionally varied) than most people are willing to believe, and it's certainly more complex than the dozen or so rules you learned in elementary school.

Re:Enterprise Systems (1)

Sarten-X (1102295) | more than 3 years ago | (#36120328)

...so you're saying that Enterprise Grammar Solutions is as functional as any other "enterprise" solution?

Re:Enterprise Systems (1)

Dersaidin (954402) | more than 3 years ago | (#36118062)

Oh, that explains how Skype was worth $8.5 billion.

Re:Enterprise Systems (1)

bell.colin (1720616) | more than 3 years ago | (#36118508)

"Enterprise Solutions"
"leveraging the organizational synergies"
"customer-centric excellence"
"value centers"
"consultants"
"Vizio(tm)"
"Certified Solution Architects"

My marketing/buzzword BS meter just caught fire after reading this.

Re:Enterprise Systems (0)

Anonymous Coward | more than 3 years ago | (#36119804)

I work for a company with "Enterprise Solutions" in the name. The rest of it is purposefully misspelled. ...

I hate this company.

Re:Enterprise Systems (1)

Bryansix (761547) | more than 3 years ago | (#36121814)

Let's stop bein disingenous here. This article is about Cisco. If you purchase and maintain a Cisco SmartNet contract on a piece of equipement then you can call (toll-free) into TAC (technical assistance center) and speak directly with an engineer who probably knows more about IOS then you could dare to learn in a lifetime. This engineer will then usually be able to immedietely connect to your device and fix the problem. No other company has had better support and I do this for a living.

Re:Enterprise Systems (1)

swalve (1980968) | more than 3 years ago | (#36124108)

I agree. I am very impressed with the detail and rigor that goes into the Cisco training. I haven't seen anything close to it since the old Compaq x000 series of Proliants was introduced, or the older HP Laserjets, where the manuals were delightfully Apple II-like. Imagine, teaching people EVERYTHING about a system.

Re:Enterprise Systems (0)

Anonymous Coward | more than 3 years ago | (#36124438)

Three little changes:

c/50,000/60,000/
c/hundreds/thousands/
c/Hyderabad/Chennai/

and I'd swear you work for my company^H^H^H^H^H^H^Henterprise!

Re:Enterprise Systems (0)

Anonymous Coward | more than 3 years ago | (#36124454)

Bitter ShoreTel employee is bitter.

Once upon a time... (1)

Anonymous Coward | more than 3 years ago | (#36117650)

My naive inexperienced self presume 'Enterprise' to mean rock-solid, if not crufty software like Solaris, AIX, etc. Not shiny by any stretch of the imagination, but solid.

Now I know the truth, that by and large 'Enterprise' software is entirely convoluted fragile pieces of crap that mandates large amounts of work to maintain. They do not win because of quality, they win based on smoozing salespeople and executives and/or architects intentionally sabotaging things for the sake of job security.

Re:Once upon a time... (1)

swalve (1980968) | more than 3 years ago | (#36124120)

"Enterprise" means systems that are scalable, expensive, and have better warranties.

Re:Enterprise Systems (3, Funny)

pushing-robot (1037830) | more than 3 years ago | (#36117674)

I dunno; when you go to Cisco.com and click on Enterprise, you're presented with the line:

"Break down barriers to reach people and information wherever and whenever you need them."

Sounds like they understand it perfectly.

Re:Enterprise Systems (0)

Anonymous Coward | more than 3 years ago | (#36117880)

Enterprise level ONLY means you have a toll free number to call and a support account number to use when the shit hits the fan and mid levels can cover their asses by simply stating. "I have a ticket in with $COMPANY. They better have a good explanation when they call back". Rarely if ever are the non technical managers and bosses in on the eventual phone conference with the $COMPANY when they tell you that you are 3 versions behind, your firewall is jacked and you had some things setup wrong. Of course you can then blame those things on the $CONSULTANT that helped you with the initial setup 2 years ago. I'm sure there is an email that you forgot about where $CONSULTANT specially stated you were responsible for updates and he/she setup it up the way YOU wanted it against best practices because you needed a certain function to work a certain way to justify the cost of the project.

Re:Enterprise Systems (1)

datapharmer (1099455) | more than 3 years ago | (#36118128)

Wow, that is eerily accurate. In an IT office for a network I took over management of there are rows of filing cabinets. Among the thousands and thousands of pages of electronic manuals and config files pointlessly printed on a laser printer are some email correspondence that sound almost identical to what you wrote. Not sure why the previous guy printed all that out, he clearly didn't read or understand any of it given how the network was setup. That's ok though, he hired a consultant at some absurd rate to explain the basics of how to keep it from melting down by holding his mouth just right. Boy was that a fun mess to clean up.

Re:Enterprise Systems (1)

Bryansix (761547) | more than 3 years ago | (#36121764)

This is so true. This is a big reason why instead of using a one-time consultant, you should use a managed services provider who actually monitors, updates and maintains your network.

As Elton John says (0)

Anonymous Coward | more than 3 years ago | (#36117508)

hold me closer frosty poster

Re:As Elton John says (1)

clang_jangle (975789) | more than 3 years ago | (#36117858)

Hehe...

Hold me closer frosty poster
count the exploits zero day
sniff my TCP/IP
you had a busy day today

Most people? (0)

Anonymous Coward | more than 3 years ago | (#36117516)

Most people using Cisco phones are vulnerable

FTFY!

Re:Most people? (1)

KingRatMass (1448233) | more than 3 years ago | (#36117716)

And it's all the fault of Apple, Microsoft AND George Bush!

FTFY!

Security is #1 (3, Insightful)

BoRegardless (721219) | more than 3 years ago | (#36117530)

There have been so many security holes in all sorts of hardware and for so long, that I have to think that there is a basic failure of top management to understand and grasp the issues involved in the trust people place in their products.

Having top managers make decisions on whether a program gets top flight security implemented from day 1 of a program's inception would be a big mistake.

Security today ought to be #1. Ask Sony for instance, or any one of the other dozen recent companies who have failed basic updates to their servers even after the lack of updates was published publicly online.

Sheesh. What does it take to get top management "on board".

Re:Security is #1 (1)

VortexCortex (1117377) | more than 3 years ago | (#36117622)

The cost of doing business is rarely the price of doing business.

Re:Security is #1 (2)

BoRegardless (721219) | more than 3 years ago | (#36117756)

"The cost of doing business is rarely the price of doing business."

Very good point. Warren Buffett noted "Price is what you pay; Value is what you get"

For managers who slack on security, "Security Cost is what you pinch on; crisis is what you get"

Re:Security is #1 (1)

speculatrix (678524) | more than 3 years ago | (#36118038)

For yoda: is security cost what you pinch on is; is crisis what you get!

Re:Security is #1 (1)

mcmonkey (96054) | more than 3 years ago | (#36118926)

In Soviet Russia: security cost pinches you!

Re:Security is #1 (1)

swalve (1980968) | more than 3 years ago | (#36124134)

This is what you get when you put "operating systems" on things like toasters, telephones and gas pedals, rather than purpose built firmware. We will figure it out eventually, I hope.

WHEW! (2)

Lumpy (12016) | more than 3 years ago | (#36117532)

Glad I only run cisco phones that are outdated and run a SIP firmware.

Cisco makes great hardware, but their phone system software (and pricing) utterly sucks. I am doing things with asterisk here at the office that makes the cisco rep's jaw drop.

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36117722)

Awesome.

Now do it at a 20K phone deployment.

Re:WHEW! (1)

Lumpy (12016) | more than 3 years ago | (#36117760)

Not a problem. You never have done a asterisk deployment before have you.

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36117892)

My thoughts exactly. whether it be 1000 phones or one, it's still the same procedure.

and am I the only one here that's bothered by the fact that these companies deploying mass quantities of phones are doing so AGAINST best practices and getting burned? honestly, if you're going to deploy a large number of anything, you better damn well know how to turn off EVERY feature except what you need.

On top of it, one could simply firewall at the switch port to only allow sip+dhcp+icmp from the phones. (unless for some crazy reason they fail at vlan'ing and honestly have a single broadcast domain containing hundreds of devices)

but then again, I have worked with countless 1000+ person companies that had deployed a core of 22 Ovislink 48 port layer two's. so I'm never surprised these days.

Re:WHEW! (1)

speculatrix (678524) | more than 3 years ago | (#36118060)

you could probably do some dns and arp poisoning so that when phones boot they will use your tftp server to acquire their configurations and not the company one, so even if the phones' configs are apparently secure, you have to protect your lan.

Re:WHEW! (1)

Lumpy (12016) | more than 3 years ago | (#36139046)

If you can do that then I have far bigger problems than someone listening to Dave in Accounting go on and on about how his boat is so expensive to maintain, and mary in marketing talk about her poodle....

Once you own my phone system network, I have far bigger problems.

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36118322)

My thoughts exactly. whether it be 1000 phones or one, it's still the same procedure.

and am I the only one here that's bothered by the fact that these companies deploying mass quantities of phones are doing so AGAINST best practices and getting burned? honestly, if you're going to deploy a large number of anything, you better damn well know how to turn off EVERY feature except what you need.

On top of it, one could simply firewall at the switch port to only allow sip+dhcp+icmp from the phones. (unless for some crazy reason they fail at vlan'ing and honestly have a single broadcast domain containing hundreds of devices)

but then again, I have worked with countless 1000+ person companies that had deployed a core of 22 Ovislink 48 port layer two's. so I'm never surprised these days.

You know how I know you're not a network person?

Re:WHEW! (1)

Amouth (879122) | more than 3 years ago | (#36119990)

i'm not arguing with your assessment but in theory you can do it if you have a layer3 capable switch..

Re:WHEW! (1)

jon3k (691256) | more than 3 years ago | (#36135832)

Then it's not a "switch port", at least in Cisco parlance. It's a "routed port" or "layer 3 interface". The command is literally "no switchport".

Re:WHEW! (1)

Amouth (879122) | more than 3 years ago | (#36139352)

that depends on the cisco device - if your trying to do routing on a switch block on an nm module in a router yes but you can use PACL's on switch ports without having to treat them as routed ports

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1039754 [cisco.com]

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36120280)

And just how's that?

don't tell me you leave ports open blind to any traffic that want's to traverse them?

step one in any secure system: disable everything.
step two: only enable what you know is safe.

honestly, add all your phone ports in question to a vlan, and mark the vlan
int vlanx
  ip access-group xxx in
With:
access-list xxx permit tcp host [host ip] host [sip server] eq [portnum]
access-list xxx deny ip any any

In the case of several customers I've set this up to dynamically remove DHCP from the ports after boot via SNMP. the whole process is fully automatic and requires manual intervention only when new phones are added or moved.

Re:WHEW! (1)

Iam9376 (1096787) | more than 3 years ago | (#36129524)

I'm going to partially agree with the OP here.

Phones speak more than just SIP, ICMP and DHCP, at least intelligent phones do.

FYI- In many cases, particularly where external companies are implementing the system, the voice engineers don't have access to the network; we can only recommend solutions, it's not up to us to implement them.

When was the last time you deployed a 50,000 user telephony system? It's not always as simple as "following best practices", particularly when you begin integrating 3rd party solution, ranging from voice mail to ivr to any of the other numerous technologies you can add on.

Anything sufficiently complex enough will have problems somewhere along the line, that's the nature of things created by beings of our limited mental capacity.

Re:WHEW! (1)

swalve (1980968) | more than 3 years ago | (#36124146)

But he said broadcast domain!!

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36135828)

Firewall the switchport? Please stop talking. You're making my brain hurt.

Re:WHEW! (2)

citylivin (1250770) | more than 3 years ago | (#36119894)

Apparently, there is no central configuration for the phones (hardware) and all the phones need to be locally configured. That is just what i have heard about asterisk VS ccm. Because asterisk is all orientated towards POTS line cards and not IP phones. It was designed as an analog system, with some digital tacked onto it as an after thought. Meanwhile the new cisco call manager has polished their SIP support (i have heard, we dont have it yet) so that most things that you need SCCP for have now been reimplemented in SIP on ccm.

For instance, how would you centrally assign multiple lines to a phone? hand edit every xml file on the tftp server? your gonna do that for 2000 phones?

Of course im not an asterisk expert, but I am a collector of anecdotes. Cisco Call manager has been pretty rock solid for us. I cant even remember any major issue in the last 5 years.

Re:WHEW! (1)

Dare nMc (468959) | more than 3 years ago | (#36123130)

Post says they were using Cisco phones, cisco phones use a tftp server to get the configs, based off of mac address. I setup 25 phones, all multi line, used the "trixbox" install of asterisk, that had the tftp server, web interface, and everything all tied together as a single install. With Trixbox, just use the web interface it does all of this for you. The only difficult part was, updating the Cisco phones to the sip image, so many of the Cisco firmwares were screwed up and wouldn't allow installing from certain versions to others, so I would have to do several firmware updates... but only to get a new phone to the SIP firmware.

Re:WHEW! (1)

Lumpy (12016) | more than 3 years ago | (#36139058)

"Apparently, there is no central configuration for the phones (hardware) and all the phones need to be locally configured. That is just what i have heard about asterisk VS ccm." then you have heard bad information. I can auto configure 20,000,000,000,000,000,000 phones with asterisk, not a problem at all.

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36117764)

Ok, so what specifically are you doing? I play with Cisco Communications Manager for a living right now, and while it does SOME great stuff, you gotta pay like crazy for it. Unfortunately, there are a lot of things they only get 90% right.

Re:WHEW! (2)

Lumpy (12016) | more than 3 years ago | (#36117878)

Auto forwarding users call to their cellphones if they are in the office or not.

Get up and leave the building, when your cellphone can no longer be seen via BT it forwards your calls to your cellphone. returns to your desk phone when you return. nothing for you to do. it's all automatic.

And then we have the telemarketer incoming call hell... anyone can transfer a call they receive to extension 8000. it puts that caller into a virtual "person" that plays back a random audio file ever time the other side stops talking based on silence detection... "yeah", "tell me more", what other features?", "ok", "yes", "just a minute".... also it blacklists that number to never ring a phone but go directly to the general voicemail box.

Also least cost routing is a LOT easier. I route calls to land line outgoing if we have an office at that location, it goes across the T1 to that office and out their POP. we dropped long distance costs by 80% over the past 6 years we have done this. Plus I can run a 200 phone office location on a single low end server that costs LESS than the licensing cost for a cisco 50 phone deployment. Multiple stand alone system that inter-tie work Fantastic. plus net outages don't make a satellite office useless unlike a centralized Cisco setup.

Re:WHEW! (1)

DarkOx (621550) | more than 3 years ago | (#36119018)

I am not saying Unified Communications Manager is the be all and end all of enterprise phone systems but don't make up facts. I even agree with you that Asterisk and other solutions are superior.

Still a properly deployed Communications Manager solution is NOT centralized you should either have an independent installation at each site trunking (for very large orgs) or you should have a member of the cluster at remote sites, for very small remote sites you should be running a router with CMFallback configured. So survivability really should not be a problem

Re:WHEW! (1)

Iam9376 (1096787) | more than 3 years ago | (#36129444)

Still a properly deployed Communications Manager solution is NOT centralized

Where did you learn to design enterprise telephony systems? You've got it half right.

Centralized deployment models have numerous advantages from cost to configuration, maintenance and It also reduces overall system complexity.

Best practice is a centralized deployment model with a local voice gateway connected to the PSTN per site (MGCP, H323, SIP, doesn't matter) configured for SRST (call-manager-fallback).

Simple.
Clean.
Survivable.

This is no different between installations of 10 sites or installations of 10,000 and is why it's so damn effective.

Decentralized deployments need to have strict justification, otherwise you're wasting your time and energy.

Lacking Perspective (1)

Iam9376 (1096787) | more than 3 years ago | (#36122280)

Sounds to me you've not worked on UCM recently, if it all.

Call Forward No Coverage.

LCR (from the very beginning):
  1. Create a Route Group containing the gateway or trunk device for the site you are configuring LCR
  2. Create a Route List containing the previously created Route Group
  3. Create a Route Pattern for the LCR pointing to the Route List previously created

That's all.

Cisco's Unified Communications Manager platform is extraordinarily well built once you move past version 7.1.3 (6 was a solid, but 7 introduced logical routing and other important features). Yes it is expensive. But it is robust, stable and the pool of knowledgable engineers can't be denied; if you don't understand the immediate value of that I've wasted your time and mine. Lastly, before I end this rant, one word: support. Who do you call for support at 10pm for your Asterix box? Sure, some companies provide support, but not on the same level Cisco can provide.

plus net outages don't make a satellite office useless unlike a centralized Cisco setup.

I am now certain you either have no experience with Cisco's UC platform or simply live with your head in the sand. The technology is called Survivable Remote Site Telephony (SRST).

Comparing Asterix to Cisco's UCM is disingenuous as they have entirely different markets with different requirements.

The simple fact of the matter is you don't deploy Asterix if you can afford UCM (if you can afford it, you're likely large enough to benefit from it).

So, to recap:
-Enterprises need support. They need it yesterday when problems arise.
-Knowledgable engineers to support and maintain the solution.
-UCM was built to scale. I'm talking 300 sites, 150,000 end points, 12 call processing agents (termed Super Cluster when you have more than 8), numerous MoH/TFTP servers and the like. This is easily possible with CUCM, and it's extremely stable.
-The platform is easily extended to Presence, WebEx, Contact Centers, Attendant Consoles, and numerous 3rd party applications.
-Cisco has another advantage which no other company in the world can claim: They own the network. That means a fully integrated solution, from the switch to the handset, and the numerous benefits that entails.

An aside, of the clients I have personally migrated from Asterix (of which there are 4), none had more than 5,000 end points.

Please acquire some perspective before you go around baselessly besmirch the big bad corporation and their products, and please don't try to make an argument about the feature set differences. That's never the deciding factor with these two products.

P.S: the virtual person you describe is available as a 3rd party solution.

Well, that turned out longer than I intended; apologies, as I could keep going on and on about this subject.

Re:WHEW! (2)

Greyfox (87712) | more than 3 years ago | (#36117768)

You forgot to mention you work at www.asteriskporn.com...

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36119634)

i tested ciso phones historically and they didn't last under heavy useage.

Re:WHEW! (0)

Anonymous Coward | more than 3 years ago | (#36121822)

i tested ciso phones historically

You mean like back in the Middle Ages?

Re:WHEW! (1)

Iam9376 (1096787) | more than 3 years ago | (#36122304)

I have a client still using first generation phones (bought new at the time) without issue. Sure, some fail over time, but hardware what doesn't?

world disarmament mandated in newclear kode (-1)

Anonymous Coward | more than 3 years ago | (#36117598)

the so-called whore of babylon has the required plug-in, & is being interviewed now by the hymenology council, in regards to the associated honesty mandate. you call this 'weather'?

Hang on (3, Insightful)

Spad (470073) | more than 3 years ago | (#36117718)

A Cisco spokesman said the networking vendor was serious about security and advised users to apply the relevant recommendations in the manual to secure their systems.
[...]
The weaknesses result from Cisco's reliance on web functions that gave users functions at the cost of easier penetration for hackers.
[...]
“The book says to shut off web services,” Wesley said

So why the hell is Cisco shipping devices with features that they themselves recommend disabling for security reasons, unless you have specific need for them, enabled by default?

Re:Hang on (0)

Anonymous Coward | more than 3 years ago | (#36117840)

This is nothing new, Spad.

Cisco ships all IOS devices with CDP (cisco discovery protocol) which allow cisco devices to detect neighboring cisco devices and give you information about them.

Cisco has for years recommended this be disabled for security reasons but they understand that it's a valuable tool that people want. I'm grateful they give the customer the chance to evaluate their own security risks and choose between security and function.

If you want to split hairs, you could ask the same question to Microsoft for shipping windows with Ping built in, or providing Sysinternals software on their download site. (Which many viruses, worms and malware utilized.)

Re:Hang on (1)

jeyk (570728) | more than 3 years ago | (#36118134)

[...] Sysinternals software on their download site. (Which many viruses, worms and malware utilized.)

I know that sounds as if I am trolling, but I am genuinely interested. Do you have any citation for that?

Re:Hang on (1)

Anonymous Coward | more than 3 years ago | (#36118306)

I think he is referring to the use of PsTools [microsoft.com] . I've personally dissected viruses which have used that set of utilities as part of their payload but this was years ago before SysInternals even belonged to Microsoft and the viruses I saw which used them were very unsophisticated. Either way, I don't see how it's relevant to Cisco having unsafe-defaults.

Re:Hang on (2)

wiedzmin (1269816) | more than 3 years ago | (#36119668)

I'm grateful they give the customer the chance to evaluate their own security risks and choose between security and function.

Disabling the features by default, does not take away the customer's ability to evaluate their own security risks and enable what they need. Enabling everything by default is a bad practice, it puts all but the most experienced customers in harm's way. Ever heard of a security concept called 'implicit deny'?

Re:Hang on (1)

Iam9376 (1096787) | more than 3 years ago | (#36122400)

Out of the box nothing works. Services have to manually be activated and started.

Re:Hang on (1)

swalve (1980968) | more than 3 years ago | (#36124174)

Security is the customer's problem to implement how they choose. Out of the box, a thing should work.

Re:Hang on (1)

Iam9376 (1096787) | more than 3 years ago | (#36122362)

The recommendation is to disable CDP on interfaces facing towards end user devices and neighbors you don't control, not disabling CDP entirely.

Re:Hang on (1)

Klync (152475) | more than 3 years ago | (#36117884)

I don't want to defend Cisco's laziness here, but there is a sort of logic to what they do - especially given all the VAR's that end up deploying these systems: the hardware / software is shipped so that it's easiest to deploy out of the box. A phone installation can go wrong in so many different places, it helps in troubleshooting and remote management to have everything open by default, and then start locking things down once it's running. This approach has obvious flaws, but the alternative would be a nightmare to deploy.

Given this situation, I think customers and VAR's need to be more conscious about security. Maybe Cisco could audit their VAR's to see how good they are at implementing the lock-down checklist. Or maybe they could provide such a checklist directly to the end customer.

Re:Hang on (2)

fast turtle (1118037) | more than 3 years ago | (#36118248)

Actually, the reason it's so hard to determine the problem is because everything is active. If a system is in locked down status to begin with, you have an easier time figuring out the problem because you only need to work on (1) One issue at a time. Much nicer. Of course it would also help if they'd create a product where the basic functionality worked out of the box and didn't depend on so many proprietary techs.

Re:Hang on (1)

Iam9376 (1096787) | more than 3 years ago | (#36122502)

I suspect you and the OP have no actual experience with the system, so I'll say the following:

-No engineer I know enables more services than we need. Only inexperienced engineers who don't know what service does what activates them all.
-Troubleshooting isn't as difficult as you make it to be. CUCM includes very detailed logging facilities, the trick is knowing how to read them.
-VoIP security, specifically with CUCM, in my experience is rarely implemented. It's not as big of a problem as this article makes it seem. Furthermore, if the malicious person is on your network, you've got a general security problem. If the malicious person is physically connected to your network, you have other problems to worry about.
-Not all third party applications support SRTP and will break if implemented.
-Overall platform stability and security comes down to who deployed it.

As an design/implementation engineer, I can say we only harden systems when there is a specific requirement for it or by request. It is not general practice, nor should it be.

I suspect that last sentence will bring down the herd so I shall clarify:
Implementing security has a lot of implications, not only from a technology standpoint but from a political/office politics standpoint as well. Careful consideration is needed before deploying.

Re:Hang on (0)

Anonymous Coward | more than 3 years ago | (#36117984)

because people DO like to use those features.

this has been mentioned before, the feature in question is the "services button" which Cisco feels leaving enabled will get managers to ask IT people about what kind of services they can add to the phones. (presuming they hadn't done so prior to the new phone system purchase)

some of the uses may seem trivial, but being able to add a punch-clock application to the desk of every agent at a call center can save a HUGE amount of money every year. (and the boss likes the weather app, before deciding to go golfing. :P)

Re:Hang on (1)

Iam9376 (1096787) | more than 3 years ago | (#36122532)

some of the uses may seem trivial, but being able to add a punch-clock application to the desk of every agent at a call center can save a HUGE amount of money every year.

Precisely.

I couldn't find any mention to the specifics of the attack in the article, but if it is related to the services button, then i question how these attacks are being performed. The services button fetches a url on every press, unless I am missing something (and its quite possible I am), the only way to do anything malicious is to somehow hijack that request to a custom server informing the phone of some malicious service.

Re:Hang on (1)

postbigbang (761081) | more than 3 years ago | (#36118058)

You pegged my irony meter. Now it's broken.

Hey-- Microsoft just bought Skype! You can use that instead, right?

(now ducking)

Re:Hang on (0)

Anonymous Coward | more than 3 years ago | (#36118302)

Cisco DOES ship with this off. Current firmware ships with webAccess set to false, which has been the behavior for the last year. This only effects old firmware 9.x.

While we're at it, I suppose we can raise a stink about year old MS & Linux exploits, too, that may be present on on install CD I have lying around from last year? Surely there are a bunch of those?

Great (1)

DinDaddy (1168147) | more than 3 years ago | (#36117792)

There's a phone just like the one in that pic on my desk.

Re:Great (1)

webmistressrachel (903577) | more than 3 years ago | (#36118032)

Scary...

Our city council deploys similar IP phones from Nortel Networks - are they vulnerable, too, I wonder? Fortunately, their physical security is pretty damn good, they seem to know damn well that I'll abuse Ethernet ports if given half a chance, so finding out isn't an option for me...

Re:Great (2)

DinDaddy (1168147) | more than 3 years ago | (#36119156)

I'm not actually worried about external hacking, our corporate IT isn't totally incompetent. I am just less than pleased that my employer themselves can potentially listen to me through my phone even when I am not using it.

Working with SIP is never easy (3, Interesting)

anthm (894202) | more than 3 years ago | (#36117794)

I have been working on the open source softswitch FreeSWITCH http://www.freeswitch.org/ [freeswitch.org] for almost 6 years now.
During that time I have seen SIP continuously evolve to try to cover its own shortcomings which all stemmed from the simple concept of "If we base it on HTTP, we can use proxys and never have to worry about media" Of course this is not true and the amount of complexity that is put into each SIP device is much too great which is probably why Cisco prefers its own lighter "skinny" protocol. Sadly they own Sipura and Linksys and have SIP on their devices using countless hacks that make interop a nightmare. I am sure you can do many of these same attacks on any brand of phone. There are much better reasons out there to curse Cisco for being involved in VoIP. =D
 

Re:Working with SIP is never easy (1)

Bookwyrm (3535) | more than 3 years ago | (#36117904)

Agreed. SIP is a particularly bad mess to deal with.

A quick checklist (1)

dachshund (300733) | more than 3 years ago | (#36117944)

1. Does your system use software?
2. Is it connected to a network, or does it have any kind of outward-facing attack surface?
3. Is it an embedded system?
4. Is it based on Windows?
5. Is it based on another commercial OS?
6. Does it use a significant number of standard libraries?
7. Is it proprietary, or has it /not/ been subject to significant public attack/repair/analysis.
8. Does it handle any kind of sensitive data, have a microphone that could overhear things, or is it connected to a network that has other kinds of sensitive data on it.

If you answered 'yes' to question 8 and any one of the previous questions, then your system has a critical vulnerability that could lead to a total compromise. Finding that vulnerability will require varying degrees of effort, from 'almost none' to 'a year of with a fuzzing framework and IDA'.

If you answered yes to 3, 4 and 5, possibly 6, definitely 7, then it'll be closer to the easier side than the hard side.

I work in the security industry, so I perhaps I'm just a bit jaded. But I have to say that the novelty of these stories has worn off for me --- we could probably save everyone a lot of trouble by setting up a cron job that generates 'random system of the day has vulnerability' new stories.

(And yes, I realize that it's important to keep vendors on their toes, etc. But this will be handled like every other story: a few holes will be patched, the vendor will brush off the concerns, and it'll be business as usual.)

Re:A quick checklist (1)

Iam9376 (1096787) | more than 3 years ago | (#36122354)

I agree. There is nothing new here and the reactions seen in the comments are precisely why I cannot frequent this site anymore.

Misleading... (0)

Anonymous Coward | more than 3 years ago | (#36118110)

The article says that this exploits the web access on the IP phones. Also, there are several references to it having to be 'out-of-the-box.'

IP phones registered to CUCM automatically upgrade the firmware to what matches the CUCM device pack. All recent firmware releases (9.x) have webAccess disabled by default, and that firmware is used for recent CUCM 7.1 and 8.0 releases. And upgrading firmware on a cluster in bulk is a pretty quick/easy task.

On top of that, the attacker would need to be in the LAN (assuming the presence of a FW at the border of the network) and on a network route-able to the voice network.

I'm not saying it isn't a concern, but this is less of an issue than the article makes it seem.

Specifics on the exploits? Original source? (1)

corerunner (971136) | more than 3 years ago | (#36118342)

\ I read the article and it provides no details on the exploit(s). How are we supposed to know if a system is vulnerable, let alone what configuration changes are required to harden security? The article links to the original Slashdot submission, which links to the article... which came first, and where is the original source?

Summary is misleading (1)

bsquizzato (413710) | more than 3 years ago | (#36118452)

There's no details about anything in that article. Aside from the single picture of one 7975 phone showing RickRolled, it doesn't list vulnerable phone models at all. (Also strange is that the 7975 is a model that doesn't handle video calls on the phone itself, so I'm not sure how a video is playing on it). Despite that, the summary here on Slashdot tells everyone that Cisco's 7900 series of phones is vulnerable with the link given for its "Latest IP Phones". There's more models of phones that Cisco makes ... 3900 series, 500 series, 8900 series, 9900 series, 6900 series to name a few more (http://www.cisco.com/en/US/products/sw/voicesw/products.html#N4FD791). Of those, the 7900 is not the newest.

At least pull your facts from the article, please.

"recommended security requirements." (0)

Anonymous Coward | more than 3 years ago | (#36118662)

Are these recommendations? or requirements?

This is very old (3, Interesting)

MobyDisk (75490) | more than 3 years ago | (#36118980)

Cisco IP phones are not designed to be secure out of the box. They periodically connect to an unsecured FTP site to download firmware and unencrypted password text files. They use DHCP to determine the FTP site and the phone directory. The phones accept remote commands that allow you to control them: push any button, dial calls, turn on/off the speakerphone, etc. Back in 2005 I worked in an office and we had fun telneting to each other's phones and making them quack or display funny messages or other such nonsense. The articles are light on details but it sounds like nothing has changed.

Re:This is very old (1)

Anonymous Coward | more than 3 years ago | (#36120572)

I had great fun in medical residency on slow days making the (completely unsecured) Cisco IP phones burp, fart, talk, scream, etc., in the hospital. Of course, this same hospital was dependent on portable communications (cordless IP phones, etc) secured with WEP. Of course, anyone with an iPod in their pocket could shut the entire thing down just by spamming control packets. At one point, I had my laptop in my call room and fired up Backtrack to sniff the network. By 9AM I'd cracked every one of their wireless networks and was sniffing the packets.

Of course, they also used a Vocera system (also using 802.11), the administrative interface of which was secured...by an IP address. That's right: They didn't change the password, and you could go through the diagnostics on one of the Voceras, get the IP for the server, and plug it right into a web browser.

Geniuses, they were.

Posted as an AC for obvious reasons.

So what's the story? (1)

pathological liar (659969) | more than 3 years ago | (#36119044)

VoIP systems can be compromised/abused? I intercept calls at work ("... for quality assurance and monitoring purposes ..."); if that system was compromised [asterisk.org] someone could certainly demonstrate call interception on a two-bit Asterisk/Polycom setup too.

What is the attack?? (0)

Anonymous Coward | more than 3 years ago | (#36119050)

I read TFA and there is no mention of what the attack is. As some who actually works in this field as a Cisco VAR for Telephony we have all known for a long time how to make a bug on a line, if you are the sys admin of the Communication Manager server. However, that is more like core functionality of the system.

Imagine you need to old school push button to talk to your secretary (i said old school). You could do this on any phone that has an unused line by setting it up with No Label and and Auto Answer true. I do not see how this is going to be done remotely unless they know the admin password. That is usually only stored in the DC on a post note on that server, so it is hard to guess.

bug or feature. (0)

Anonymous Coward | more than 3 years ago | (#36119404)

Here is the question though. is this actually a bug, or a feature for other groups of people?

Not the first time (0)

Anonymous Coward | more than 3 years ago | (#36125420)

I discovered a similar weakness that could bring down the call center with a few lines of VXML code. It crashes the router. I discovered it by accident while programming an IVR app. I reported it to no less than 3 TAC engineers and 2 TAC managers but they said that since my code was in development and not production that they wouldn't even start a ticket. Its not a bug if it is not in production they told me.

Not necessarily all bad (1)

Geminii (954348) | more than 3 years ago | (#36132300)

Could it be used against telemarketers? Please?
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...