February 21, 2007 1:59 PM PST

Cisco IP phone flaws discovered

By Marguerite Reardon
Staff Writer, CNET News

Related Stories

New tools test VoIP security

 August 2, 2006

VoIP: Quality is still a big concern

 July 18, 2006

Chambers emphasizes Cisco's changing role

 June 20, 2006

Cisco cites security flaws

 December 17, 2004

Cisco tightens security on voice products

 October 25, 2004
Cisco Systems issued a warning on Wednesday that some of its IP phones could be compromised, allowing unauthorized individuals to bypass security restrictions.

In the warning, Cisco detailed flaws for two sets of products. One warning identified two versions of the Cisco Unified IP Conference Station, a speaker phone specially designed for conference rooms. The products are the 7935 version 3.2(15) and 7936 version 3.3(12).

Cisco said because of a design error in the HTTP interface, which allows the device to be managed remotely, an administrator's credentials are saved or cached when the device is accessed remotely. So if an unauthorized person tried to access the device at a later time, it would permit access without further authentication.

If an administrator never accesses the device via the HTTP interface, the device is not vulnerable to the authentication bypass attack. Cisco said it's possible to reset the device by powering it down and turning it back on again.

Cisco also identified flaws in several versions of its Unified IP phones, including the 7906G, 7911G, 7941G, 7961G, 7970G and 7971G. These IP phones contain a default user account and password that is used for debugging purposes. Cisco said that because of an implementation error, the default user account cannot be disabled, removed or have its password changed. This means that it's possible for an unauthorized person to remotely access a vulnerable IP phone and take complete control of the device, causing it to become unstable and crash.

Cisco suggests on its Web site that network administrators apply access control lists on routers, switches and firewalls that filter traffic to vulnerable conference stations and IP phones so that traffic is only allowed from stations that need to remotely administer the devices. Cisco also said it will make free software available to address the flaws, but did not say when it would be available. Updates will be posted on its Web site.

While attacks on voice over Internet Protocol systems are rare, security flaws could become a growing concern for network administrators, especially as the number of companies using VoIP technology increases.

VoIP allows companies to use their data networks to carry voice traffic as well as company data, such as e-mail. Not only do companies save money by consolidating networks, but the IP network also allows for a slew of new features to be added to the company's communications. Cisco's IP telephony business has been growing strong over the past few years as more and more companies upgrade their telephone networks to IP.

See more CNET content tagged:
IP phone, Cisco Systems Inc., IP, flaw, network administrator

Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Aligning CIO & CEO visions
What CIOs need to know

Click Here!
It's a simple truth. The closer you and your CEO see things, the greater your chance for success. Our exclusive report can help you get there—and help your business grow. Get the report featuring the views of 765 CEOs on innovation. learn more

Click Here!
What CEOs think: Innovation Insights for CIOs

Learn How CIOs can deliver strategic success for their enterprises

The New CIO: Beyond Technology

Learn how CIOs become heroes

Podcast: Chris Gorog of Napster

Learn about the impact of technology in strategy execution

The future of the Enterprise

Read more about tomorrow's organization

CIO Vision Series:Innovating within a retail industry disrupted by the Web

Video: CIO of Virgin Entertainment Group, Robert Fort

CIO Vision Series: Innovating around social search

Video: Yahoo CIO Lars Rabbe

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    Google-focused satellite enters orbit

    The search titan has exclusive rights among online mapping sites to images from the new GeoEye-1 satellite, which launched Saturday.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Crossfade

    The Standard, 'A Different Skin': Free MP3 of the Day

    Eschewing the danceable beats favored by many of its post-punk brethren, while opting instead for more ominous and insistent rhythms, is what makes the Standard visceral and engaging. Download a free MP3 of "A Different Skin" courtesy of CNET Download Mus

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET