The December 2022 issue of IEEE Spectrum is here!

Close bar

Embedded Anti-Malware Defends Against Cisco IP Phone Hack

Software “symbiotes” signal attacks on embedded systems

3 min read
photo of Cisco IP phone's microphones
Photo: Red Balloon Security

02NWPhoneAntiVirusLISTENING IN: Columbia University researchers showed recently how to remotely turn on a Cisco IP phone's microphones.Photo: Red Balloon Security

All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices. Now computer scientists at Columbia University have developed a defense they call a “symbiote” that can detect any such intrusions. [Editor’s note: IEEE Spectrum uses Cisco IP phones too.]

The Columbia researchers discovered bugs in the phone’s kernel—essentially, the heart of its operating system—that can give intruders total access to the phones [PDF]. Once hackers are inside a phone, they can turn on its microphones, transforming it into an eavesdropping device. They can also use a compromised phone as the staging area for attacks on other phones—and on computers and devices such as printers—connected to the same network. The researchers, including computer scientist Ang Cui, reported the vulnerability to Cisco on 22 October 2012, within a few days of discovering and verifying the bug.

Although the attack the researchers originally documented relies on physical access to target phones, Cui says it’s possible to compromise the telephones remotely via the Internet. “This problem is not unique to Cisco,” adds Salvatore Stolfo, a computer science professor at Columbia University. “Avaya and other phone vendors undoubtedly have similar issues with their software.”

Such problems reflect the vulnerability of embedded systems—the near-ubiquitous computers found in printers, routers, and phones as well as cars, rail lines, power plants, prison-cell doors, and implantable medical devices. Computer security has largely focused on personal computers and not on the embedded systems that make up large parts of government and corporate infrastructures, Cui says.

SYMBIOTES: Code embedded on the phone watches for anomalies that might indicate an intruder.

Now the Columbia team says it has forged a new weapon that can defend Cisco phones against such exploits. The new anti-malware software, which they call symbiotes [PDF], resides directly in the embedded system’s firmware, continuously scanning random chunks of the programs running the system to check for anomalies. In essence, say the Columbia researchers, the symbiote serves as an immune system against intrusions. When the researchers demonstrated the attack that turns a Cisco phone into a listening post, the symbiote-protected phone signaled with a flashing red light. It also called Cui with a message: “My IP phone has been pwned.” (“Pwned” is hacker slang for “owned.”) “This is the first IP phone with an antivirus on it,” Stolfo says.

One key advantage of symbiotes is that they could detect unanticipated or “zero-day” attacks, Stolfo says, unlike anti-malware programs that rely on known patterns of misbehavior. “The symbiote doesn’t know all the vulnerabilities of what it’s protecting, just what the consequences of an exploit would look like,” Cui explains. The Columbia researchers, who are commercializing their work via their start-up Red Balloon Security, report that the symbiote devised for Cisco phones takes up just 200 bytes of data. The software scans the host phone’s kernel a few hundred times per second for intrusions, Cui says.

For its part, Cisco says it is working on a permanent fix for this vulnerability and has released an interim software update to protect customers. However, Stolfo says, Cisco’s solution involves disabling the phone’s secure data communication, or SSH server, as well as its PC port. So although the phones will be more secure, they will no longer let users manage them remotely, significantly limiting their utility.

Stolfo cautions that the symbiote still needs to be tested on real networks. Still, if and when symbiotes are deployed en masse, “we’ll be able to prevent large-scale exploits of embedded systems for 10 years, in my estimation,” Stolfo says. For added defense, future symbiotes may be able to monitor not only the device in which they reside but also other devices connected to the same network, Cui adds.

The researchers, who will detail their latest findings on 28 February at the RSA Conference in San Francisco, are now talking with companies and government agencies about incorporating symbiotes into embedded systems on a large scale.

About the Author

Charles Q. Choi is a science writer based in New York City. His reporting has appeared in The New York Times, Scientific American, and Wired, among other publications. In September 2011 he reported for IEEE Spectrum on a brain computer interface based on ultrasound.

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less