[cisco-voip] FW: Cisco Security Response: Cisco Unified IP Phone Remote Eavesdropping

Philip Walenta pwalenta at wi.rr.com
Thu Nov 29 11:45:09 EST 2007 

It's the fact that all the data to and from the phone is in clear text.  No
encryption.  Sniffable passwords etc. 

-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Bill Simon
Sent: Thursday, November 29, 2007 9:53 AM
To: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] FW: Cisco Security Response: Cisco Unified IP
Phone Remote Eavesdropping

Looking over the presentation PDF...

Where's the "bug"?

All I see are valid uses of the phone's features when a user has valid
credentials.

HTTP is not a bug any more than telnet or FTP is a bug.  And this is after
seeing post after post about "Why did Cisco turn off FTP in CM5? 
Why do I have to use SFTP?"  So, everyone, choose:  encrypted protocols or
not.


Craig Staffin wrote:
> Interesting Bug,
> 
> Wes/Ryan any projected time frame on updated firmware?
> 
> Craig
> 
> -----Original Message-----
> From: Cisco Product Alert Tool
> [mailto:cco-pat-bouncehandler at external.cisco.com]
> Sent: Thursday, November 29, 2007 3:20 AM
> To: Craig Staffin
> Subject: Cisco Security Response: Cisco Unified IP Phone Remote 
> Eavesdropping
> 
> Message Type : Security Response    
>     
> Title: Cisco Security Response: Cisco Unified IP Phone Remote 
> Eavesdropping
> 
> URL: 
> http://www.cisco.com/en/US/customer/products/products_security_respons
> e09186
> a0080903a6d.html
> (available to registered users)
> 
> http://www.cisco.com/en/US/products/products_security_response09186a00
> 80903a
> 6d.html
> (available to non-registered users)
> 
> Posted: November 28, 2007
> 
> Summary: This is the Cisco PSIRT response to a presentation given at 
> the Hack.Lu 2007 security conference by Joffery Czarny of Telindus 
> regarding a technique to remotely eavesdrop using Cisco Unified IP 
> Phones.
> 
> The original report is available at the following link:
> 
> http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf
> 
> We greatly appreciate the opportunity to work with researchers on 
> security vulnerabilities
> and welcome the opportunity to review and assist in product reports.    
>     
> This email has been sent to craig.staffin at inacom.com. 
> You are receiving this notice because you subscribed to the Cisco 
> Product Alert Tool (PAT) and created the following profile(s):
> All Alerts    
>     
> Subscribe/unsubscribe instructions : 
> If you choose not to receive these notices, or if you would like to 
> make changes to your notification profile, please go to:
> http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en    
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list