Security is a major concern of every organization - we deploy firewalls, virus scanners, and patches for our computers and networks as a standard operating procedure. We lock up server rooms, try to keep our mobile devices secure, and mount security cameras. But what do we do about embedded systems on our network, like IP phones or printers?
If you use a Cisco IP phone, you might want to consider doing something extra, like applying a patch or software update.
Columbia University computer scientists have discovered a way to both remotely and physically hack the embedded system on a Cisco IP phone, one of the most ubiquitous phones in telecom. Using vulnerabilities in the OS kernel, a hacker can gain complete control over the phone, including listening to conversations when the phone is not in use. After a phone is compromised, it can then spread its malware to other devices on the network including other phones, computers, and printers.
Note: The video only shows a physical hack. Attackers can also remotely hack the phone over the Internet.
Cisco has already developed a patch for this vulnerability. As of Dec 18, you must specifically request the patch from Cisco, though there are plans to include the patch in Cisco's next major update.
Of course, any pre-existing malware can potentially override the patch and reintroduce vulnerabilities again.
For more information, you can view the article on IEEE Spectrum.