Cisco released an advisory yesterday, warning that a number of its voice-over-IP phones can be hacked into, allowing anyone to listen in on phone calls and audio in the surrounding area.
The hack affects Cisco’s CiscoUnified IP Phones 7900 Series, versions 9.3(1)SR1 and lower. Once executed, the attacker will not only be able to monitor your phone calls, but it can also turn the microphone on and remotely, over the Internet, listen to any conversations being held in the vicinity. In order to do this, the attacker uses a piece of hardware that connects to the auxiliary port of the phone. With this, the attacker can “root” the phone, or gain full control of the phone.
A way to remotely hack into the phone systems also exists, but you must already have access to the internal corporate network.
Cisco notes that while it cannot patch the physical hardware that enables the hack, it will release a temporary software fix.
The vulnerability was originally exposed at the Chaos Communication Congress in Germany at the end of December. A professor and a doctoral candidate from Columbia University discovered the exploit and reported it to Cisco in November before bringing it public. Cisco only just released a security advisory yesterday, though it says it told customers privately after it was alerted to the issue.