Cisco admits to VoIP eavesdropping

Cisco Systems issued a security alert last week confirming a security hole in its VoIP phones that enables attackers to eavesdrop on voice calls.

Cisco said 11 models of its Cisco Unified IP Phone 7900 Series handsets are vulnerable to the attack and that all Cisco IP phones which support Extension Mobility, a feature which enables users to configure a phone as their own on a temporary basis, were vulnerable.

Cisco said the risk was low level with a base score of 4.0 on the Common Vulnerability Scoring System. 

The alert followed a presentation given at the Hack.Lu 2007 security conference in Luxemberg by researcher Joffrey Czarny in October.

PC World also reports that in October, two security experts at hacker conference ToorCon9 in San Diego hacked into their hotel's corporate network using a Cisco VoIP phone. The hackers said they were able to access the hotel's financial and corporate network and recorded other phone calls, according to a blog on Wired.com. 

Cisco said a user could attack a properly configured Cisco IP phone to eavesdrop on ongoing conversations around the affected device, a breach that could lead to the disclosure of sensitive information.

For more:
- Cisco Security alert
- PC World Report

Related Articles:
- VoIP Trojan Alert Report