Cui har spent 10 years hacking into Internet-connected office phones and other “embedded devices” – that is, devices that do not see like computers or servers, but has all the pitfalls: a processor, memory, and often the ability to connect to other devices or the Internet. As the founder of Red Balloon Security, Cui spends a lot of time evaluating sophisticated industrial control systems and even satellite infrastructure, but he still comes back to IP phones as a barometer of how much progress has been made in securing the Internet of Things. His latest research shows that there is still a long way to go.
At the SummerCon Security Conference in New York City on Friday, Cui and his Red Balloon colleague Yuanzhe Wu present new findings about a vulnerability in more than a dozen models of Cisco IP Desktops. It can only be exploited with physical access to a target device, but if an attacker has managed it, they can gain full control of the phone, which they can then use to intercept calls, bug the surrounding space or for other malicious activities.
“Cisco has released software updates to this issue and is not aware of the malicious use of the vulnerability described in the advice,”
However, Red Balloon researchers say the Cisco patch does not completely remove the vulnerability; it just makes the mistake harder to exploit. This is because the vulnerability, they revealed, is not actually in code that Cisco can rewrite or control. Instead, it is in low-level firmware developed by chipmaker Broadcom for processors that Cisco uses as an additional hardware security feature. This also means that the same vulnerability is likely to be present in other embedded devices that use the same Broadcom chips.
Broadcom did not return further requests from WIRED for comment, but Cisco said Wednesday that the flaw is in Broadcom’s firmware implementation.
“Look, we’ve all been here before with me revealing IP phone errors to Cisco, and they’ve come a long way in many respects,” Cui told WIRED in front of SummerCon. “But the fact that there is a vulnerability in here is not surprising. In the end, these things are no safer than they were 10 years ago. “
Red Balloon Security researchers tested the vulnerability on a Cisco 8841 phone, which contains a Broadcom BCM 911360 TrustZone chip specifically designed to deliver a hardware “root of trust” to the phone. Hardware root can strengthen a device’s overall security. For example, Microsoft is currently pushing for users to adopt them as part of the Windows 11 system requirements. The idea is to add an extra chip-running code that is immutable and cannot be fundamentally changed by the device’s main processor. In this way, TrustZone can trust that they essentially see the rest of the system and implement security protection such as boot monitoring without the risk of it itself being corrupted.
Confidence in hardware can raise the bar for a device’s security, but in practice it also creates a “watcher” competition. If there are vulnerabilities in a hardware security feature, they quietly undermine the integrity of the entire device.
The Broadcom chip, which the researchers studied in Cisco phones, has an application programming interface that allows limited interaction for things like setting up device encryption services. However, the researchers found a bug in the API that could allow attackers to trick it into executing commands that it should not be allowed to accept.