Cui is spent 10 years hacking in Internet-connected office telephones and other “embedded devices” – that is, devices that do not have them look like a computer or server, but they have all the features: processor, memory, and often the ability to connect to other devices or the Internet. As the founder of Red Balloon Security, Cui spends a lot of time evaluating sophisticated industrial control systems and even satellite infrastructure, but continues to return to IP phones as a barometer for advances in Internet of Things security. His latest research shows that there is still a long way to go.
At the SummerCon security conference in New York on Friday, Cui and his Red Balloon counterpart Yuanzhe Wu present new findings on vulnerabilities in New York. more than a dozen models Cisco IP Desktop Phones. It can only be used with physical access to the target device, but if the attacker succeeds, they could gain complete control of the phone, which they could then use to eavesdrop on calls, eavesdrop on a surrounding room or other malicious activity.
“Cisco has released software updates for this issue and is unaware of the malicious use of the vulnerability described in the advisor,” a Cisco spokesman said in a statement to WIRED, citing security notice the company announced on wednesday.
However, Red Balloon researchers say the Cisco patch does not completely remove the vulnerability; it only makes it harder to take advantage of the error. This is because the vulnerability they discovered is not actually in code that Cisco can overwrite or control. Instead, it is found in low-level firmware developed by chipmaker Broadcom for processors used by Cisco as an additional hardware security feature. This also means that the same vulnerability is likely to be present on other embedded devices that use the same Broadcom chips.
Broadcom did not return more WIRED requests for comment, but Cisco said Wednesday that there was a flaw in the implementation of Broadcom’s firmware.
“Look, we’ve all been here before with me and error detection in Cisco IP phones, and they’ve come a long way in many aspects,” Cui told WIRED ahead of SummerCon. “But the fact that there is a vulnerability here is not surprising. Ultimately, these things are no safer than they were 10 years ago. “
Red Balloon Security researchers tested the vulnerability on a Cisco 8841 phone, which features a Broadcom BCM 911360 TrustZone chip specifically designed to provide a hardware “root of trust” for the phone. Hardware roots of trust can strengthen the overall security of the device. Microsoft, for example, is currently putting a lot of pressure to be adopted by users as part of the system requirements for Windows 11. The idea is to add an additional chip that works, which is immutable and which the main processor of the device cannot fundamentally change. In this way, TrustZone can be trusted to basically look at the rest of the system and implement security protections like startup monitoring, without the risk of being damaged itself.
The hardware roots of trust can raise the bar of device security, but in practice they also create a “who’s watching the observer” puzzle. If there are security features of the hardware security feature, they quietly undermine the integrity of the entire device.
The Broadcom chip that researchers researched on Cisco phones has an application programming interface that allows limited interaction for things like setting up device encryption services. Researchers, however, found a flaw in the API that could allow attackers to trick it into executing commands it should not accept.