You're fired! Company warns of boardroom cyber spy
Criminals can gain a treasure trove of sensitive information by listening in to board meetings, suggest security researchers at Context Information Security, who have shown that some conference phone systems might be at risk from hackers.
The Context team managed to gain root access and take full control of a Mitel MiVoice Conference and Video Phone (also known as the Mitel UC360), potentially enabling them to listen into meetings without alerting the room’s occupants, disable the mute button so that private discussions could be heard by everyone on a call and maintaining a remote backdoor into the network environment.
“Conference phones are ubiquitous in modern offices and are often found in less secure areas such as meeting rooms where they are privy to sensitive discussions, whether hosting a call or just sat on the table,” said Neil Biggs, Head of Research at Context. “They also present an interesting attack surface, often in segregated VLANs that aren’t visible to an infrastructure penetration test so may get overlooked. It’s possible that organisations with a mature security posture might overlook the security of these kinds of devices, but it’s important to have them tested.”
Like many similar devices, the Mitel phone uses the Android operating system and this provided the way in for the Context researchers via the ‘Ethernet Debugging’ feature, which is basically the Android Debug Bridge (ADB) over the network. By taking advantage of the device’s automatic configuration process, they could enable this feature and start exploring with the ADB shell.
“We found that the conference phone was based on Android 2.3, which has known vulnerabilities and lacks security protections we’ve grown accustomed to in later versions of the Android operating system,” said Neil Biggs. Once in, there were several weaknesses that allowed the team to escalate the attack, most of which stemmed from the firmware being in a development/testing state. This included the use of publicly available Android test-keys for signing system applications.
Context reported these issues to Mitel at the end of last year, along with a remote exploit that caused the device to reboot, and the company was quick to respond and provide mitigation advice, long term fixes and coordinated disclosure. At present, the following mitigations should be applied to prevent the attack described:
- Configure static configuration and software URLs
- Ensure Ethernet Debugging is disabled
- Configure a strong admin password to prevent access to the admin menu