1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Cisco reveals some of its IP phones are vulnerable to eavesdropping

By Shawn Knight
Mar 24, 2015
Post New Reply
  1. cisco phones vulnerable eavesdropping vulnerability flaw cisco systems hack ip phones phone system ip phone system spa 300 spa 500

    A selection of IP phone systems sold by Cisco were recently put on alert due to a vulnerability in their firmware that could allow an attacker to eavesdrop on conversations.

    Cisco said its SPA300 and SPA500 series IP small business phone systems contain a flaw in their firmware related to improper authentication settings in the default configuration. As the company recently warned, an attacker could exploit the vulnerability by sending a crafted XML request to an affected device.

    As of writing, Cisco said it is aware of the vulnerability in version 7.5.5 of the systems. Later models may also be vulnerable.

    The good news for businesses is that an attacker may need access to trusted, internal networks behind a firewall to send the XML requests to targets. This of course will reduce the likelihood of a successful exploit, Cisco said.

    There’s currently no fix available (a patch is in the works) but in the meantime, administrators are advised to enable XML Execution authentication in the configuration settings of affected devices and only grant network access to trusted users. Admins can also help protect against external attacks by using a solid firewall strategy.

    In the post-Snowden era, it seems as though vulnerabilities like this keep popping up all the time and are often uncovered due to renewed scrutiny of mission-critical infrastructure.

    Permalink to story.

  2. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 456   +40

    I thought all IP phones were vulnerable to eavesdropping... I mean the NSA aren't limited to some faulty models, they go for every one out there.
  3. jobeard

    jobeard TS Ambassador Posts: 12,753   +1,490

    Marvelous - - can you imagine trying to enter the name/credentials of even 20 employees - - how about an office 100+ ?
  4. The NSA has a new motto = "You make it, we hack it"

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...