Cui a past 10 years To hack Internet-connected desk phones and other “built-in devices”, that is, devices that do not see like computers or servers, but they have it all: a processor, memory, and often the ability to connect to other devices or the Internet. As the founder of Red Balloon Security, Cui spends a lot of time evaluating sophisticated industrial control systems and even satellite infrastructure, but he always returns to IP phones as a barometer of progress in securing the Internet of Things. His latest research indicates that there is still a long way to go.
At the SummerCon security conference in New York on Friday, Cui and his colleague Red Balloon Yuanzhe Wu present new findings on a vulnerability in more than a dozen models Cisco IP desk phones. It can only be exploited with physical access to a target device, but if an attacker succeeds, they could take full control of the phone, which they could then use to eavesdrop on calls, bug the surrounding room, or for other malicious activities. .
“Cisco has released software updates for this issue and is not aware of any malicious use of the vulnerability described in the advisory,” a Cisco spokesperson told WIRED in a statement, referring to has a safety notice the company released on Wednesday.
However, Red Balloon researchers say Cisco’s patch does not entirely eliminate the vulnerability; it just makes the bug harder to exploit. This is because the vulnerability they discovered is not actually in the code that Cisco can rewrite or control. Instead, it resides in low-level firmware developed by chipmaker Broadcom for processors that Cisco uses as an additional hardware security feature. It also means that the same vulnerability is likely present in other integrated devices that use the same Broadcom chips.
Broadcom did not return multiple requests for comment from WIRED, but Cisco said on Wednesday the flaw was in Broadcom’s firmware implementation.
“Look, we’ve all been here with me to disclose IP phone bugs to Cisco before, and they’ve come a long way in a lot of ways,” Cui told WIRED ahead of SummerCon. “But the fact that there is a vulnerability here is not surprising. At the end of the day, these things aren’t any safer than they were 10 years ago. “
Red Balloon Security researchers tested the vulnerability on a Cisco 8841 phone, which contains a Broadcom BCM 911360 TrustZone chip specifically designed to provide a hardware “root of trust” for the phone. Equipment roots of trust can enhance the overall security of a device. Microsoft, for example, is currently do a big push for users to adopt them as part of the system requirements for Windows 11. The idea is to add additional chip runtime code that is immutable and cannot be fundamentally changed by the main processor of the apparatus. This way, TrustZone can be trusted to essentially monitor the rest of the system and implement security protections such as boot monitoring without risking corruption itself.
The material roots of trust can raise the bar of a device’s security, but in practice, they also create a “beguiling the beholder” conundrum. If there are vulnerabilities in a hardware security function, they silently undermine the integrity of the entire device.
The Broadcom chip that researchers studied in Cisco phones has an application programming interface that allows limited interaction for things like configuring device encryption services. Researchers have, however, found a flaw in the API, which could allow attackers to trick it into executing commands that it should not be allowed to accept.