Tuesday, May 24, 2022

Flaw in Cisco VoIP phones allows hackers to intercept conversations

Cisco has issued a security alert warning users of several of its voice over Internet Protocol (VoIP) phones that a flaw in the products could allow hackers to listen in on users’ conversations.

The company said the products at risk are the Cisco Small Business SPA series 300 and series 500 IP phones.

A vulnerability in the machines “could allow an unauthenticated remote attacker to listen to the audio stream” of the phones, according to Cisco. Software updates are not available at this time.

“The vulnerability is due to improper authentication settings in the default configuration,” a warning from the company said. “An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream of make phone calls remotely.”

To exploit the vulnerability, an attacker may need to access trusted, internal networks behind a firewall to send crafted XML requests to the device. This access requirement may reduce the likelihood of a successful exploit.

Cisco advised It administrators to contact the vendor regarding updates and releases.
Administrators are also advised to enable XML execution authentication in the configuration setting of the phones.

Administrators can also use IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.