To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/voipsecurity/0,3800013656,39165937,00.htm

Cisco warns over IP phone flaws
Unauthorised access...

By Marguerite Reardon

Published: Thursday 22 February 2007

Cisco Systems has issued a warning that some of its IP phones could be compromised, allowing unauthorised individuals to bypass security restrictions.

In the warning, Cisco detailed flaws for two sets of products. One warning identified two versions of the Cisco Unified IP Conference Station, a speaker phone specially designed for conference rooms. The products are the 7935 version 3.2(15) and 7936 version 3.3(12).

Cisco said because of a design error in the HTTP interface, which allows the device to be managed remotely, an administrator's credentials are saved or cached when the device is accessed remotely. So if an unauthorised person tried to access the device at a later time, it would permit access without further authentication.

If an administrator never accesses the device via the HTTP interface, the device is not vulnerable to the authentication bypass attack. Cisco said it's possible to reset the device by powering it down and turning it back on again.

Cisco also identified flaws in several versions of its Unified IP phones, including the 7906G, 7911G, 7941G, 7961G, 7970G and 7971G. These IP phones contain a default user account and password that is used for debugging purposes. Cisco said that because of an implementation error, the default user account cannot be disabled, removed or have its password changed. This means that it's possible for an unauthorised person to remotely access a vulnerable IP phone and take complete control of the device, causing it to become unstable and crash.

Cisco suggests on its website that network administrators apply access control lists on routers, switches and firewalls that filter traffic to vulnerable conference stations and IP phones so that traffic is only allowed from stations that need to remotely administer the devices. Cisco also said it will make free software available to address the flaws but did not say when it would be available. Updates will be posted on its website.

While attacks on voice over IP systems are rare, security flaws could become a growing concern for network administrators, especially as the number of companies using VoIP technology increases.

Cisco's IP telephony business has been growing strong over the past few years as more and more companies upgrade their telephone networks to IP.

Marguerite Reardon writes for CNET News.com