Cisco IP phone 7940 supports Extension mobility feature and its authentication credentials are not tied to individual IP phones rather it is tied to individual user. A user dynamically may configure the phone at a desk as his phone by simply logging in via Extension mobility. For this, following three conditions need to be satisfied:
- The internal web server of the IP phone must be enabled. The web server is enabled by default.
- The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
- The attacker must possess or obtain valid Extension Mobility authentication credentials.
An attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol RTP audio stream. This ability can be exploited to perform a remote eavesdropping attack as the Extension Mobility authentication is not encrypted. Before eavesdropping can occur, the user who is logged into the IP phone via Extension Mobility must first be logged off of the IP phone, and a sniffing device need to be installed between IP phone and switch.
If exploitation is successful, any IP phone that is undergoing an eavesdropping attack will have its speaker phone status light enabled, and the phone will display an off-hook icon that indicates an active call is in progress. Internal testing by Cisco also revealed that the described attack produced static noise on the IP phone while it was under attack.
There are workarounds to combat this attack:
- Disable the internal web server on IP phones.
- Disable the Extension Mobility feature on IP phones.
- Disable the speaker phone / headset functionality on IP phones.
This attack can also be mitigated by restricting access to the internal web server of IP phones TCP port 80 using an access control list ACL .
The information provided herein is on "as is" basis, without warranty of any kind.