conference logo

Playlist "29C3: Not my department"

Hacking Cisco Phones

Ang Cui and Michael Costello

We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native
Unix), the operating system that powers all Cisco TNP IP phones. We
demonstrate the reliable exploitation of all Cisco TNP phones via
multiple vulnerabilities found in the CNU kernel. We demonstrate
practical covert surveillance using constant, stealthy exfiltration of
microphone data via a number of covert channels. We also demonstrate the
worm-like propagation of our CNU malware, which can quickly compromise
all vulnerable Cisco phones on the network. We discuss the feasibility
of our attacks given physical access, internal network access and remote
access across the internet. Lastly, we built on last year's presentation
by discussing the feasibility of exploiting Cisco phones from
compromised HP printers and vice versa.