This Week in Cybercrime: Careful—The Phone on Your Desk Could Be a Remote Listening Device

Exploit Could Let a Hacker Can Listen In On Your Conversations—Even After You Hang Up the Phone

It was widely reported this week that Ang Cui, a Columbia University PhD candidate, hacked Cisco’s near-ubiquitous VoIP office phone. The exploit, which Cui dubbed the “Funtenna,” gave him elevated privileges, including the ability to use the phone as a listening device to eavesdrop on what is going on in the room—whether the phone is on the hook or not. But that’s not the worst of it. “Once you compromise the phone, you can use the phone as a general-purpose computer to attack other phones or devices on the network,” Cui told Kaspersky Lab’s Threatpost blog. “It’s like a self-propagating worm that can attack a phone, printer, router, access points—all behind the firewall. The attacker has persistent presence on the network,” Cui said. Carrying out a demonstration of the attack was as simple as connecting an external circuit board to the phone’s standard phone jack plug; the circuit board became the receptacle into which the exploit was transferred via Bluetooth from his smartphone. From there, Cui was able to exploit a kernel-level vulnerability and gain access to the Cisco phone’s file system—then those of all other phones on an office’s network. Worse yet, Cui says, he and his colleagues could also remotely compromise Cisco phones over the Internet with no need for physical access.

Spammers Cut Costs by Taking Mobile Phone Conscripts

Computerworld reports that spammers have come up with a new way to get their messages across. They hijack Android mobile phones and get the infected gadgets to do their dirty work. This solves two problems from text-message spammers’ perspective: they no longer have to buy thousands of SIM cards (each of which gives them a new “sender” but is eventually deactivated by a network operator for abuse) to run their spam campaigns; and they no longer have to be in the same country as the message recipients in order to avoid international SMS sending charges. Security vendor Cloudmark told Computerworld that the virus was contracted when users downloaded either of two Android games hosted by a server located in Hong Kong that contained malware directing the phones to connect with rogue servers. The command-and-control servers gave each phone a list of around 50 phone numbers along with the message the spammer sought to deliver. “The malware on the Android device will wait a little more than one second after sending a message, then will eventually check in with the rogue server to obtain more numbers,” Andrew Conway, lead software engineer with Cloudmark, told Computerworld. “If the phone is shut off and turned on again,” Conway said, “the malware reboots and installs itself as a service on the phone.”

Iran Still a Cyberattack Target

Last year, Iran bore the brunt of the most sophisticated cyberattack to date when its Natanz uranium enrichment facility was pummeled by the now-infamous Stuxnet malware that rendered thousands of centrifuges inoperable. This year finds computer systems there still in the crosshairs. Researchers at Kaspersky Lab report that computers in Iran have been beset by a new strain of malware that wipes disk partitions clean of files. The attack, which Kaspersky Lab researcher Roel Schouwenberg characterizes as “extremely simplistic,” deletes all the files on drives D through I, as well as the desktop and user profiles. “But if it was effective, [its simplicity] doesn’t matter,” says Schouwenberg. The malicious program, which was reported on 16 December by Iran’s computer emergency readiness team, is set up so that it launches on specific dates—some as far out into the future as 2015.

We’ll Get Around to It—Eventually—Says Adobe

A well-known saying in Spanish culture is that “Mañana doesn’t mean ‘tomorrow’; it just means ‘not today.’” That may be the thinking behind Adobe’s unfathomable delay in fixing a dangerous vulnerability in its Shockwave multimedia player. U.S. CERT notified Adobe on 27 October 2010 that users who launch older multimedia content unwittingly cause the application to downgrade to an earlier version that lets hackers use exploits that had been rendered obsolete. "For example, the legacy version of Shockwave provides Flash 8.0.34.0, which was released on November 14, 2006 and contains multiple, known vulnerabilities,” said the CERT alert. You might think that Adobe would have raced to close the security hole. But you’d be wrong. The software maker says it doesn’t plan to deploy a fix until February, when it introduces the next major upgrade of Shockwave. That’s right: more than 2 years after it became aware of the problem.