Cisco has recently received questions about a vulnerability in some of our 7900 series IP office phones that is said to allow eavesdropping on nearby office conversations. This was discovered by IT security researchers at Columbia University, and we thank them for reporting it to us before presenting at various security conferences.
We are actively working on a permanent fix, and have released very detailed, step-by-step guides for customers on identifying and preventing the vulnerability from being used. We’re not aware of it being used against any of our customers – largely due the fact that it is very challenging to exploit.
Unlike other IT security issues that have received attention, this is not simply a matter of someone “hacking” into the software on one phone. As the Columbia research demonstrated, someone wishing to take advantage of the vulnerability faces several distinct challenges. They would need hardware and software skills specifically related to software at the core of IP phones, an IT network configured a very specific way, and physical access to the phone’s serial port to insert a tailor-made device pre-loaded with software.
That does not mean we take this vulnerability lightly. We first issued information to our customers at the end of last year and have recently released very detailed documents to help those responsible for protecting IP phone networks. You can see these documents here: Security Advisory and Applied Mitigation Document.
As well as offering customers the information needed to secure their phone network against this vulnerability, Cisco will issue a software update on January 21st that closes off access to the vulnerability.
UPDATE – this interim software update was released to customers ahead of schedule on January 17th.
We remain committed to making sure Cisco products maintain the highest levels of security. When we learn of vulnerabilities we will address them quickly and communicate transparently with our customers.
SVP and GM, Collaboration Technology