Think your conversations on that Internet phone are secure? Think again.
From anywhere in the world, hackers can exploit vulnerabilities in “Voice over Internet Protocol” (VoIP) phones (widely used by governments, not just consumers) to eavesdrop on private conversations -- listening not just to your voice but also the other people and sounds of the environment around you.
'It's not just Cisco phones that are at risk. All VoIP phones are particularly problematic.'
- Columbia University professor Salvatore Stolfo
Columbia University graduate student Ang Cui and professor Salvatore Stolfo announced they have found serious vulnerabilities in VoiP, industry leader Cisco's phone technology.
“It's relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones -- they are not secure,” Stolfo said. But that manufacturer isn’t alone; the flaw extends to all Internet calls.
"It's not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere,” he said.
The Columbia team developed a relatively simple device that plugs into a Cisco phone and downloads malware into any of the 14 Cisco Unified IP Phone models to easily eavesdrop.
But this team isn’t about causing trouble; as “white hat” or ethical hackers, they are hoping to improve security. In fact, their research was funded by the Defense Advanced Research Projects Agency (DARPA), Intelligence Advanced Research Projects Activity and the Department of Homeland Security.
More than VoiP is at risk -- other networked devices such as routers and printers are also vulnerable.
Defend your tech from attack
Cisco has released a patch to fix the vulnerabilities, but according to this team it is ineffective. Fortunately, the Columbia team’s research also focused on developing new advanced security technology to protect these systems.
They developed a solution called “Symbiote,” and to their knowledge it was the only solution to the Cisco IP Phone’s systemic problem, prior to the patch.
Their new defense technology software protects embedded systems from malicious code injection attacks.
The researchers describe it as a digital life form: a host-based defense mechanism with a code structure inspired by the symbiotic defensive system seen in nature.
Symbiotes provides self-protection against adversaries directly attacking and targeting host defenses.
If an adversary attempts to remove Symbiote, their tech will render the host inoperable.
Symbiote can be used to protect all kinds of embedded systems used everyday from phones and cars to printers and ATM machines.
Ballet dancer turned defense specialist Allison Barrie has traveled around the world covering the military, terrorism, weapons advancements and life on the front line. You can reach her at firstname.lastname@example.org or follow her on Twitter @Allison_Barrie.