Is Your Phone Spying on You? An In-Depth Analysis of Vulnerabilities in Cisco VoIP Phones

Hello everyone, my name is Balaj or Baj B depends on where I live and this is is your phone spying on you. So I have I hope you had a good lunch everybody sleepy so I try to do a good show hopefully that will work out. Um so a little about me again my name is Balesh Buch or Balesh Bay. You can call me Buzz. I understand it's a tricky name to pronounce which is fine. I have over two decades of IT security offensive IT security experience. In the past 15 years, I mainly did research consultancy. The two companies that I worked for, probably you know them, maybe you know them, it's Vodafone and NCC group and

two years ago I decided to to found my own company which is one information security. I'm also a software engineer as you will see. I started to do uh assembly when I was 30 years old and I picked up a few skills. You can find me on Twitter and LinkedIn. Please follow me or send a connection request please and you can do the same to my company information security. I like to do crazy stuff as well. So last year I went on the temps and I k from source to bridge in London which took me 9 to 10 days about 300 km 200 miles. Um and this is the company that I was talking about contra information

security. We do this is a booty consultancy company. We do a traditional pentest web application infrastructure mobile cloud source code and so on specialized trainings like runs on protection and also very engineering too. Yeah. So if you interested just go on website uh check it out. I have a lot of cool stickers here and exist cars if you're interested. Uh also I just released a book um which is this is scam it will not scan. This is for nonclinical people about scammers. So there are seven chapters. Every chapter you have two interconnected stories. One story is about the victim being scammed and the other uh story is the scammer scamming the victim. So it's interconnected. Uh it's well explained

there is no different topics about everything. So this is non tech for non techchnical readers readers. You can download it for free. You can send it to your mom, to your grandfather, to your grandma and they may be better protected than others. This is free because I want to help people. So you can um help people as well by spreading the word to go on the website please and download it. Again it's for free. So let's talk about that device. Uh it's a Cisco IP phone. Uh I have to do a lot of research on these devices and it's a joint effort with the dub inabs. Uh they they did the hardware bit uh the chip off. So in that

chip in the middle that's the flash uh that contains the firmware. They remove the flash read out the fware and give it to me. I was doing software reverse engineer reverse engineering. We have three devices in scope. Those are list on the side. one of the devices are just here on the seat. So, um we also downloaded this stock firmware from the Cisco Va which was available. It's kind of the same as we dumped but it didn't have the running um running configuration neither. Um yeah, so we quickly realized that even though we had three different devices, all devices had the same. So we had to do basically one analyszis uh in total and um yeah we

found a few issues. So first of all this is Cisco I seen these devices. So previously I work for a big consultancy firm. I went around uh Europe, Asia and whatever I went to so many offices I financial institutions government offices and I seen these devices all around. Have have you seen these devices hands up please? Yeah exactly. So these are really vice we don't tend to use IP phones that much anymore but these are still there right sometimes uh PCs are connected to these devices and that's how they get internet access or network access right so my baseline was I'm not going to find anything because it's a Cisco device it's a brand big brand also

the device is widespread so it must be tested like 100 times this is uh one of the devices that I'm talking about this is the other one and the third one, right? So, um I'm pretty sure you've seen his devices before and he's uh even if you didn't, uh this is a one guy who used it. Probably you know him. Uh he's ex-president of the United States. So, these devices are not exactly the same that he had in scope, but these devices from stock using the same firmware use the same. I'm not sure about the president, White House and the old office. They might use a different firmware for different reason. Uh but there's this guy this is a recent photo

right this is um Trump President Trump from the oval office and he's using same devices this uh picture is from February so uh I thought that I'm not going to find any issues but the real is quite different so I find quite a few issues and these are the CVS that got assigned to a few of them not all issues got um CVS assigned the first issue that I found is that information leak this this doesn't have a DVD if you go on the device and you open the /log/ meages messages then you will find the bar lo messages file which is the log file for Unix operating systems uh the device running Unix by the way and in this log

you will have basically it's an information gold mine right so you have all the information you could need if you're doing a research or something of reverse engineering it's really useful to have this this one even had stack traces when you process and next one actually it's a denial of service vulnerability that I found I got a CV it's unauthenticated if you send the right payload to the device it's going to crash the it's going to crash the the service the funny thing about it that the service the device has watchd dog service as well so if you are crashing the same service multiple times then it's going to reboot the device so if you send the same payload over and

over again and lastly then the uh the device goes into this reboot loop and you won't be able to use it or your computer that is connected to it. The second buffer overflow that I found I was really I thought going to be exploitable in a better way get in the shell but turn out it's a BSS it buffer overflow BSS is the segment where you store the initialized data in the memory and um basically you can do pretty clever stuff with it. The one of the initialized bit that was there, one of the barriers was uh an HTTP proxy. So you can set your own proxy and uh some of the data is going to be sent through

your boxes so you can intercept the traffic. Other than that, you can crash the device uh and put it in the reboot loop. And I think the the most ridiculous and cool and fun that I found is basically three different API points um that using TCP dump. So TC plump if you don't know it it's a Unix um tool that can be used to capture data from the network on the interfaces. Um one of the API that um that I found there was starting TCP dump the second one stopping it and the third one uh let me to download the the PA file the pack capture file. So that's that's really funny because it's unauthenticated. So

you can do that from the network and also we are talking about the V phone that might have your computer connected to it. So I can go through that phone. So I wanted to do a demo here. Um I have a few scripts so not to take your time so much and I'm going to start capture and I need a volunteer who picks up the phone please.

Hello. Uh, can I tell you a joke? >> Yeah. So, it's about so you would get it. That's it. Thank you. Yeah. Okay. So, that was hopefully capturing it and I have a clip to stop it. Another script downloaded and if the demo gods are with us then I have the pup file here and I can go into wireshark play screens and let's see Hello.

>> I'm not sure if you hear that, but I tried my best.

Thank you. So the impact um as you know millions of devices out there the um the fat was patched by Cecil last year. It was released by uh in in May. Uh so people had time to to put these devices. Still uh there is no automated way to to update the device. There is no TE. So you need to do everything by hand or remotely through XMI I believe. And I haven't told you that I only had 5 to 10 days to do this research. So I I believe this is the tip of the iceberg there. Um I have a few open questions for you guys which I'm not going to be able to answer. But I'm really happy to have a

conversation after after the talk about these or like I don't understand how these issues can be in in firmware like this. Like these devices are around for the past 10 years probably or even more. Uh the firmware must be somewhat the same. Um there these are coming from Cisco. So there there must be people who tested this before. What about NSA? Have they tested these devices? Do they know about these issues? If they know why is it not fixed? Uh what about the device? They use the same devices probably different firmware. But why why do why do they use different firmware? Because of issues like this or different reasons. Do they have these these vulnerabilities in those firmwares?

Well, I I'm I'm sure is it ignorance, uh, incompetence or something else. I'm I'm afraid to to ask these questions to be fair. And no, just in general, what what can we think about the the state of security of the devices in general? I think it's it's quite terrifying. And also I think closely connected to to to this topic I wanted to talk about uh like my like my mindset uh the research mindset researcher mindset here and I want to encourage you to do more research um this way. So I I I think the researcher mindset or doing research is is is more than you know sitting down and doing stuff. It's it's basically a

mentally. So um if you are really curious if you are curious is is is is bigger than your fear then you are already a researcher. So you can um sit down you can do your own research and uh it doesn't have to be groundbreaking right you can just do your stuff you can learn from it and anything that you take away that's a win. You don't you don't need to prove anything to anybody. So just be curious and um you don't need to know everything. You don't need to to do anything to be to be fair. uh any time you spend on research uh is going to come back. I think one of bottlenecks, one of the reasons why people don't do

research that much is is basically the success rate. I only ballpark these numbers, but I think it's like 90% of the time you are going to fail. 5% of the time you are going to have some kind of success, some kind of win. Uh and that's not a really good trait. But this is harder. So you just need to to live with it. There are no guarantees. So whenever you try to do something you don't know which direction you should break and you are that's why you are going to fail so much. Uh have you tried bonties before? Hands up if you have tried a few of you. So you know very well you know there is no guarantees

that you are going to find anything and even if you find something that not might not be accepted there is the imposs syndrome uh I don't know if you have it. I definitely have some of it. Um it doesn't just because I'm standing here doesn't mean I don't have it or any other any other speaker. So you know the difference is that you need to to uh handle it. You need to learn how to to handle it. Yeah. And because of the the success rates the burnout is quite high. I believe uh you can have a really bad um bad bad streak and then nothing comes out of it and you just give up. So

that's that's obviously a nice thing to have. Uh there is emotional roller coaster because of a lot of fails and lot of winds or some of the winds. uh you are always in a very low state and that that's why you have emotional highs that are that might be very high just to give a few examples for example uh I was doing this research I found the crash on device after a few days I was really happy with it because I had the stack racing balloons and whatever I thought it's going to be exploitable and 5 days later I realized that okay this not exploitable at least not in the way that I thought so I I I wasted let's say 5

days on something that didn't work out. That's a really high emotional high where I started and a very low low when I stopped. Um, if you don't bug bounty, you might found a critical bug. You know, we we see these messages on Twitter all the time that somebody found one and they get $5,000 or 100,000 or whatever. And you might thinking about the money, you might think about fame. you submit it and it get get rejected decllet for some reason either don't understand or somebody found it yesterday or found a year ago and they didn't bother to fix it these things happens and the assumptions this is really important I believe you know I had this issue all time I thought that

the devices are going to be uh tested like a thousand times before which seems not to be true so that was an assumption that you know uh was wasn't true at all then sometimes I have a really trivial test case that I want to test and I was saying I'm saying to myself that there is no point to test it because it's so trivial they think about it they thought about it but that's not the case some of some of the sometimes you just need to test but every time you need to test everything basically you will find some stuff and also there's this saying or thinking that okay this is trusted device and trusted services must be good

well trusted by who right trust not trusted by me that's for sure and uh big brands doesn't equal secure also. That's true. This is Cisco. They have a lot of money. They have really good processes in place, but they make mistakes. So, I'm not trying to bash on Cisco. They did a really good job with the the physical disclosure. I'm just telling you as an example that these kind of also when I do research, when I present my my findings, when I do presentations like this, I find that people uh think like this. they have a linear mindset. So I I talk about the research, I talk about my results and they tend to connect that two dots with

the direct line and that's that's unfortunately not how it works. This is more like how it works. I do search, I have one idea, I fail tremendous times, tremendous amount of time. I have an idea again, idea two, then I fail, I fail again, I fail again, idea three, not working out, idea five, whatever. And at the end I have a small success or big success. And that's how it works. More like a tree. You don't know where you are going whether you are going to find anything or not. I'm telling you a lot of researchers end up with an empty tree with um no success. But that's fine. That's how it works. So you know

just whenever you find something in use think about that kind of mindset I just explained because Jasp seems trivial. It doesn't mean that it's easy to find. Uh the support is really important. I find myself jealous time to time when I read those Twitter tweets or articles about bugs. You know, I could have been finding those issues, but for some reason I didn't, right? So there is no point to be just that's what I'm telling myself because that's not going to move me forward. Um what I need to do sit down, learn stuff, waste time on it, and do stuff. Also positive and constructive feedback is I think it's really important when you're talk to

researcher or a friend or anybody to be fair. I think it applies to life. It's not just research that we are talking about. Um responsibility is uh is is a key in there. Uh whenever you find an issue it's a nice thing to report it and get fixed. Um you you have different ways to do that. Uh these are it's not a full full list but these are kind of listed here. There is responsible disclosure, full disclosure, non-disclosure, commercial. So think going back think about this. You have a responsibility but the responsibility goes in goes to different groups like it can be the vendor because you are trying to help vendor but sometimes the vendor

doesn't care about anything else but the profit. So that's not not really good approach when we are talking about responsibility, right? So what you want to do, you might want to do like full dislo because that's a better way to do it. just to protect your protect the clients of the vendor or the end users because they are more important than the company itself. So yeah, there are different ways um do that and just closing notes. I just wanted to to a few things. Um basically I have this saying uh this my favorite saying that is the thief of joy. Um don't try to to reach out to others because that's that's pointless. Um, I always need to remind

myself I won't be the best at anything. I can be the best of myself. I can be the best. I can't be the best at anything or anything, but I can be really good at least. Um, never adopt yourself because that's that's going to help you. And don't build up immediately boundary neither because that's just going to stop you. And I think the most important thing is make time or waste time because that's going to give you some experience and knowledge and that's how growth happens. If you want to waste time on it then you are not going to grow. That was it. Thank you for being here. [Applause] That was a little bit faster than I

thought. Sorry about rushing you through. I tried it and I thought it is going to be >> Yeah. >> Yeah. So any questions? Uh please. >> So saying essentially feature someone. >> Yeah. Yeah. Yeah. >> Cisco any explanation? I mean it's it's not an oversight like it does it on purpose. >> So it was a joint effort. I found it. I reported to the company that I work with Davinci and they reported it. I'm not sure of the feedback, but I didn't get any feedback. And I I don't think he got any feedback other than okay, here's the fix. Here's the the theory and that's it. So, uh yeah, and the TCP dump is a

feature on these devices. The issue was the main issue was that it was unauthenticated. [Music] >> Yeah. access to access that instead. >> No, you can't access the um the binary itself. You have a API endpoint that you can call from your browser or whatever and you can start the TCP capture process and you can stop it and you can download the PKF file. >> Okay. And you mentioned there's lots of context between network PCs in in large commercial organizations and I know they're there. I've seen them work with this. What you call that introduced?

>> Okay. though if I understand your your question and the context right basically these phones are put on a network for some reason you connect your computer to it and everything is rooted through the the phone right dump that I exploited let's say uh captures data on all interfaces so even on that interface that you plug in your computer so when you are browsing through the network everything goes through the phone whether it's connected or Not. And that's that's that's a risk. >> Did Sorry. Did that answer your question? [Music] >> You were for SB, right?

The land. So catch means that the original so

it won't

be encrypted. >> Okay. So, um, >> NSA

skinny. >> I see. >> I know systems and you can put certificate. >> Okay. So, you know, >> does it? >> Exactly. Exactly. Yeah. And and I I personally I I feel like that you know you have you you can have multiple sector layers. One is encryption the other one is having this bug uh vans you know internet network whatever you should have all of them. These aren't really optional and if you have a bug like this you you don't have at least one of security layers in this. So u these needs to be fixed and patched and you know this is just the um tip of the iceberg. So I found these issues in 5 to

10 days. Uh I guess there is more maybe exploitable bottle overflows and you can take over the device and you can send malicious data from it and that's going to be another other issue. So you know just because I had this to present it doesn't mean that there is nothing else. >> Can you tell us more how you find this trigger to the buffer? >> Um it's an HTTP request. Um, I think it was one of the headers that I that you sent and you just sent too many characters and that was it. That was one. I'm not sure about the other one. Maybe that was like something like SSRF first. Uh, it was it was more than a

year ago actually. So I I I I don't I can answer you private. >> Any other questions? >> Yeah. How do you find the end point that wasn't on the on the call or >> Yeah, really good question. So that's that basically relates to the risk mindset bit of the the presentation. You can go on the device you can push the buttons you can find it easily. But what I did because I didn't know know how to start I had to I started to reverse engineer I found the end points how it handles in the the the source code in the binary when I reverse engineered it and I started to to try unauthenticated because by default it wasn't a

unauthenticated. So obviously there are trivial ways linear mindset you can go straight to the point and you can find it that way but if you don't know the way to that it's going to be straight. Yeah. Thank you.