Here’s a video of Ang Cui and Michael Costello’s Hacking Cisco Phones talk at the 29th Chaos Communications Congress in Berlin. Cui gave a show-stealing talk last year on hacking HP printers, showing that he could turn your printer into a inside-the-firewall spy that systematically breaks vulnerable machines on your network, just by getting you to print out a document. Cui’s HP talk showed how HP had relied upon the idea that no one would ever want to hack a printer as its primary security. With Cisco, he’s looking at a device that was designed with security in mind. The means by which he broke the phone’s security is much more clever, and makes a fascinating case-study into the cat-and-mouse of system security. Even more interesting is the discussion of what happened when Cui disclosed to Cisco, and how Cisco flubbed the patch they released to keep his exploit from working, and the social issues around convincing people that phones matter. We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year’s presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa. We present the hardware and software reverse-engineering process which led to the discovery of the vulnerabilities described below. We also present methods of exploiting the following vulnerabilities remotely. Hacking Cisco Phones [29C3] ( Thanks, Ang! )
Read this article:
Your Cisco phone is listening to you: 29C3 talk on breaking Cisco phones
An anonymous reader points out just how thick a skin it takes to be a kernel developer sometimes, linking to a chain of emails on the Linux Kernel Mailing List in which Linus lets loose on a kernel developer for introducing a change that breaks userspace apps (in this case, PulseAudio). “Shut up, Mauro. And I don’t _ever_ want to hear that kind of obvious garbage and idiocy from a kernel maintainer again. Seriously. I’d wait for Rafael’s patch to go through you, but I have another error report in my mailbox of all KDE media applications being broken by v3.8-rc1, and I bet it’s the same kernel bug. And you’ve shown yourself to not be competent in this issue, so I’ll apply it directly and immediately myself. WE DO NOT BREAK USERSPACE! Seriously. How hard is this rule to understand? We particularly don’t break user space with TOTAL CRAP. I’m angry, because your whole email was so _horribly_ wrong, and the patch that broke things was so obviously crap. … The fact that you then try to make *excuses* for breaking user space, and blaming some external program that *used* to work, is just shameful. It’s not how we work,” writes Linus, and that’s just the part we can print. Maybe it’s a good thing, but there’s certainly no handholding when it comes to changes to the heart of Linux. Read more of this story at Slashdot.