Cisco has warned of a vulnerability on its IP phones that could potentially allow an attacker to eavesdrop on phone calls and conversations. The company warned 7900 Series customers of the hack two weeks after a security researcher publically demonstrated the exploit. Ang Cui of Columbia University’s engineering department tested the hack by attaching a device to the phone’s serial port. Cui’s device then sends malicious code to the phone, targeting vulnerabilities in software. The phone is then tricked into turning the microphone on while the handset is still on the hook.
Worse still, the display indicators are bypassed, so owners of the phone won’t even know that the microphone is active. Cisco says that it is currently working on a fix for the vulnerability that’s due for release on January 21st, but the company also notes that there’s ultimately "no way to mitigate the physical attack vector on the affected devices." The upcoming software update won't be the final fix, either: Cisco says that it needs to rewrite the phone's firmware to fully patch the exploit, which could take several months.