Monday, January 7, 2013

Your phone is actually a computer

It doesn't matter that it looks like a phone, or that phones used to be simple electro-mechanical devices.  They're computers, and actually have been for some time.  That means that they are subject to all the computer security failures that we've seen over the years.  This is actually worse for high end phone (the ones that businesses use) because the temptation for the vendor is to take the original stripped down Operating System kernel and make it full featured.  You see, that makes it so you can add all sorts of cool new apps that businesses will find attractive.  After all, if it's really a computer, why not treat it like a computer?

The answer, of course, is that you still think it's a phone.  That means that you don't expect that someone can pnz0r you through your voice network:
High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.

The hack, demonstrated for NBC News, allows the researchers to turn on a telephone's microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.

Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks.  For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone's LED light to stay dark when the phone's microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked.
The guys who discovered this have a very funny presentation where they describe it.  You don't have to be a computer security nerd to follow along, at least for the first 10 minutes.



This is not to throw rocks at Cisco (full disclosure: I used to work at Cisco in their security business unit, and my technology was used pretty extensively on Cisco voice products); I would say that they didn't exactly cover themselves in glory here, saying that this was less of a worry than the researchers, but Cisco will fix this.

And it will happen again, on Cisco kit and on pretty much everyone else's as everything that we're used to gets computerized (hello, self-driving cars!).  When you put a computer in something, you turn it into a computer.  That's life.  The faster everyone catches on to that the safer we'll all be.

8 comments:

Jake (formerly Riposte3) said...

Even better, they're adding internet connections and more powerful computers to home appliances, now. I have to wonder how much thought for security went into those (little to none, I expect)? How much damage can they do if they're hacked?

Dave H said...

I'm going to put a computer in my pantry so I'll always have plenty of spam. (grin)

I don't think putting computers in things is the problem. Putting computers running common OSes with all the extension hooks and maintenance logins left in is the problem.

Borepatch said...

Jake,

I have to wonder how much thought for security went into those

To ask the question is to answer it.

Dave, the problem is putting unsecured computers into everything. Of course, that's what you said.

Old NFO said...

Yep, one more reason I never put Cisco phones in... I went with Avaya, which interfaced THROUGH the phone switch... :-)

Spike said...

What's really going to bake your noodle later on is, that android/Iphone/Blackberry in your pocket is the same sort of computer. And its security system isn't as nearly complex.

Which is why there are no electronic devices inside of Classified rooms.

B said...

and why unless you have a cell phone where you can physically disconnect the power (batter or real switch, (not just and "off" button) your cell phone is always suspect.

unless, of course, you leave it at home.

Anonymous said...

Which is why I use a rinky dink phone that sends and receives phone calls and SMS messages and that's about it. There's nothing in this world so important that I've got to be glued to Twitter and Facebook and email and whatever else every minute of the day.

Ritchie said...

I've always said that digital cameras are computers optimized to take pictures.