- 10 open source companies to watch
- Mythbuster busts his own tale
- $208 million petascale computer gets green light
- Sony recalls 73,000 Vaio laptops
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Cisco confirmed it is possible to eavesdrop on remote conversations using Cisco VoIP phones. In its security response, Cisco says: "an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream."
Cisco adds that Extension Mobility authentication credentials are not tied to individual IP phones and that "any Extension Mobility account configured on an IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack."
The technique was described by Telindus researcher Joffrey Czarny at HACK.LU 2007 in Luxembourg in October.
Cisco has published some workarounds to this problem in its security response.
Also in October, two security experts at hacker conference ToorCon9 in San Diego hacked into their hotel's corporate network using a Cisco VoIP phone.
The hackers, John Kindervag and Jason Ostrom said they were able to access the hotel's financial and corporate network and recorded other phone calls, according to a blog on Wired.com.
The hackers used penetration tests propounded by a tool called VoIP Hopper, which mimics the Cisco data packets sent at three minute intervals and then trades a new Ethernet interface, getting the PC - which the hackers switched in place of the hotel phone - into the network running the VoIP, according to the blog post.
The Avaya configuration is superior to Cisco, according to the hackers, because you have to send requests beyond a sniffer. Although it can be breached the same way, by replacing the phone with a PC.

This comprehensive, 115 page guide provides frontline network troubleshooters with practical advice...
Ensuring Network Integrity, Continuity and Process Enforcement with Route AnalyticsThis white paper shows how route analytics is used to ensure that dynamic IP network behavior...
Advancing the Economics of NetworkingAging network systems and old habits have dictated how businesses spend their IT budgets. As a...

Get caught up to speed on the latest WAN optimization developments in this informative Editorial...
Transforming the Enterprise WAN Edge: Video from CiscoLife on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...

WAN Ethernet services are reliable, cost-efficient offerings that are widely available and in a...
Get More From Your WANDownload this Network World Executive Guide and get information that details how real-world...
WAN Optimization: How to rev up sluggish applicationsWAN optimization technology is maturing and buyers are more comfortable than ever with tools that...
Partner Content
Simplify Your Branch Infrastructure
Learn how to simplify your branch infrastructure while dramatically increasing app performance with Citrix Branch Repeater.
Download the Free Info Kit
Next-Gen Load Balancing
Free Guide: "Next Gen Load Balancing: 8 Things You Need to Handle Today's Network Traffic" shows you the functionality needed in your next load balancer.
Download the Free Guide
Accelerate Your Web Apps by up to 5x
Free Guide: "The Secret to Getting Maximum Speed from your Web Applications." Learn how you can deliver Web apps up to 5x faster.
Download the Free Guide
Comments (3)
LOL!By Anonymous on November 30, 2007, 11:24 pm"Cue CCIE's and so called security experts to spout on at me about the fantastic encrypted SIP and VPN's etc etc." Good luck with your TDM PBX. This is an example...
Reply | Read entire comment
Duh! didn't see that oneBy Anonymous on November 30, 2007, 12:17 pmDuh! didn't see that one coming..! People in certain arenas have been exploiting that one for months now. How nice of Cisco to finally make the general public (low-tech!)...
Reply | Read entire comment
Cisco confirms ability to eavesdrop on remote calls using its VoIP phonesBy Cisco Subnet on November 29, 2007, 6:17 pmCisco confirmed it is possible to eavesdrop on remote conversations using Cisco voIP phones. In its security response, Cisco says: "an attacker with valid Extension...
Reply | Read entire comment
View all comments