Cisco released an advisory yesterday, warning that a number of its voice-over-IP phones can be hacked into, allowing anyone to listen in on phone calls and audio in the surrounding area.

The hack affects Cisco’s CiscoUnified IP Phones 7900 Series, versions 9.3(1)SR1 and lower. Once executed, the attacker will not only be able to monitor your phone calls, but it can also turn the microphone on and remotely, over the Internet, listen to any conversations being held in the vicinity. In order to do this, the attacker uses a piece of hardware that connects to the auxiliary port of the phone. With this, the attacker can “root” the phone, or gain full control of the phone.

A way to remotely hack into the phone systems also exists, but you must already have access to the internal corporate network.

Cisco notes that while it cannot patch the physical hardware that enables the hack, it will release a temporary software fix.

The vulnerability was originally exposed at the Chaos Communication Congress in Germany at the end of December. A professor and a doctoral candidate from Columbia University discovered the exploit and reported it to Cisco in November before bringing it public. Cisco only just released a security advisory yesterday, though it says it told customers privately after it was alerted to the issue.

via Ars Technica, Image via CCCen on YouTube

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Google has reopened its Google Wallet prepaid card option, after shutting it down due to two security vulnerabilities that let someone in possession of your phone access your prepaid funds even if you’d cleared all of your data from the app.

Google Wallet allows you to charge purchases using your phone and an near-field communication device. The “Wallet” itself houses either a Citi Mastercard, gift card, or Google prepaid card. The company was forced to disable its 1prepaid card due to a recently uncovered vulnerability that allowed access to the card, even if Google Wallet information had been wiped from the phone.

“Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet,” said Google Wallet and Payments vice president Osama Bedier in a blog post. “In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user.”

The company would not comment on the details of the fix.

Google touts the Wallet as being safer than your traditional leather wallet because it comes with a lock on it, a pin number that when entered gives you access to the credit cards within. The now-corrected vulnerability, however, made it easy for a thief to bypass your pin. If your phone was stolen, all the criminal had to do was wipe the phone’s Google Wallet memory. When the application was re-opened, it would prompt the criminal to create and save a new pin. Once they did that, they could reinstall the Google prepaid card. Why? Because Google associates your prepaid card information with the phone itself, not a specific Google account. Thus, your remaining balance would pop up, and that person could go shopping with your cash.

The company assures its users that it hasn’t found anyone taking advantage of the vulnerabilities since they were publicized.

The second vulnerability, however, has not yet been taken care of and probably never will be. It’s an application that can guess the pin on a rooted or jailbroken phone. It was found a day before the more widespread prepaid card issue was uncovered. Google urges its users not to jailbreak their phones, as Google Wallet cannot be protected on phones that have been tampered with.

Zvelo, the company that discovered this vulnerability, however, made the good point that a phone doesn’t have to be rooted before being stolen. Individuals who know their way around a phone (or can get access to YouTube) can easily unlock the phone and run a similar application to get hold of the pin number. Perhaps this will make Google think twice about simply issuing a warning about the security issues surrounding unlocked phones.

via Engadget, Stolen wallet image via Shutterstock