Cisco IP Phone Vulnerability Casts New Light on VOIP Security

January 18, 2013

Researchers at Columbia University unveiled a security flaw in Cisco IP phone firmware that makes them easily vulnerable to remote eavesdropping, allowing hackers to turn on speakerphones and disable phone lights to secretly listen in on, and/or record conversations. Only direct access to one phone is necessary for a hacker to potentially compromise all phones in an enterprise telephony system.

While Cisco has since offered a patch, it’s likely that the vast majority of Cisco IP phones remain vulnerable as security is typically not a high priority for those managing VOIP systems. Just 39% of companies cite “security” as their primary reason for deploying session border controllers at the interface of their telephony environment with SIP trunking service providers. Far less actively test or monitor their IPT environments for threats and attacks or deploy application specific firewalls to protect against VOIP threats.

ETA Bottom Line: Incorporate active security monitoring and proactive threat protection into your IPT architecture. Stay on top of vulnerability announcements and apply appropriate patches.