{"guid":"import-4fd5a1fd16f55e0a18","title":"Hacking Cisco Phones","subtitle":"Just because you are paranoid doesn't mean your phone isn't listening to everything you say","slug":"29c3-5400-en-hacking_cisco_phones_h264","link":"http://events.ccc.de/congress/2012/Fahrplan/events/5400.en.html","description":"We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native\nUnix), the operating system that powers all Cisco TNP IP phones. We\ndemonstrate the reliable exploitation of all Cisco TNP phones via\nmultiple vulnerabilities found in the CNU kernel. We demonstrate\npractical covert surveillance using constant, stealthy exfiltration of\nmicrophone data via a number of covert channels. We also demonstrate the\nworm-like propagation of our CNU malware, which can quickly compromise\nall vulnerable Cisco phones on the network. We discuss the feasibility\nof our attacks given physical access, internal network access and remote\naccess across the internet. Lastly, we built on last year's presentation\nby discussing the feasibility of exploiting Cisco phones from\ncompromised HP printers and vice versa.\n","original_language":"eng","persons":["Ang Cui","Michael Costello"],"tags":["29c3"],"view_count":1863,"promoted":false,"date":"2012-12-27T01:00:00.000+01:00","release_date":"2013-01-01T01:00:00.000+01:00","updated_at":"2026-04-07T14:45:06.609+02:00","length":3270,"duration":3270,"thumb_url":"https://static.media.ccc.de/media/congress/2012/29c3-5400-en-hacking_cisco_phones_h264.jpg","poster_url":"https://static.media.ccc.de/media/congress/2012/29c3-5400-en-hacking_cisco_phones_h264_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2012/import-4fd5a1fd16f55e0a18-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2012/import-4fd5a1fd16f55e0a18-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/29c3-5400-en-hacking_cisco_phones_h264","url":"https://api.media.ccc.de/public/events/import-4fd5a1fd16f55e0a18","conference_title":"29C3: Not my department","conference_url":"https://api.media.ccc.de/public/conferences/29c3","related":[{"event_id":495,"event_guid":"import-58eefb24d1e79d9d41","weight":1},{"event_id":682,"event_guid":"import-a459e40d704e748d02","weight":1},{"event_id":709,"event_guid":"import-86dcc5d427d763434f","weight":1},{"event_id":710,"event_guid":"import-996ee6767784dc2e88","weight":2},{"event_id":766,"event_guid":"import-e6bf982e4949766ac4","weight":1},{"event_id":989,"event_guid":"import-a4452fd3aba0890cf1","weight":30},{"event_id":1034,"event_guid":"import-475cf38d0e695ee755","weight":16},{"event_id":1110,"event_guid":"import-b59b49e433ecf74450","weight":35},{"event_id":1163,"event_guid":"import-73f7a87aafc447fa0b","weight":15},{"event_id":1176,"event_guid":"import-aeca1d442393997d98","weight":21},{"event_id":1317,"event_guid":"import-4e688d68d9cb334a9f","weight":15},{"event_id":1410,"event_guid":"import-e59a9fc136517bf537","weight":1},{"event_id":1466,"event_guid":"import-ff0545dcff90fcd929","weight":1},{"event_id":1547,"event_guid":"import-6b95a8a622b3d95c87","weight":1},{"event_id":1571,"event_guid":"import-d31b8d9b757884b585","weight":1},{"event_id":1573,"event_guid":"import-a9c9273e3172d5e77c","weight":11},{"event_id":1580,"event_guid":"import-7cc65ec6f710a801aa","weight":1},{"event_id":1620,"event_guid":"import-c42d9394e53b2def7c","weight":1},{"event_id":1625,"event_guid":"import-d5e915f712036ff928","weight":3},{"event_id":1629,"event_guid":"import-130527e600418a9ba8","weight":1},{"event_id":1630,"event_guid":"import-196baee714b3785cfb","weight":1},{"event_id":1642,"event_guid":"import-fa7c344d969e1f7c8d","weight":2},{"event_id":1650,"event_guid":"import-c9b3883ff933d49acb","weight":1},{"event_id":1653,"event_guid":"import-bd5d87a074dddac6bf","weight":1},{"event_id":1654,"event_guid":"import-efc946f94edef3de15","weight":1},{"event_id":1663,"event_guid":"import-82881c96ab640740a1","weight":1},{"event_id":1675,"event_guid":"import-30e78222488f0be76e","weight":1},{"event_id":1683,"event_guid":"import-780e90a537db52bc88","weight":1},{"event_id":1692,"event_guid":"import-609c760ca5bea50d79","weight":1},{"event_id":1693,"event_guid":"import-49361059fb0ed0c492","weight":1},{"event_id":1697,"event_guid":"import-3d743102bd3d845235","weight":1},{"event_id":1698,"event_guid":"import-8ea249dc923ddef614","weight":3},{"event_id":1707,"event_guid":"import-637333afe02a1de8d8","weight":1},{"event_id":1710,"event_guid":"import-23969f74f61375b2c6","weight":1},{"event_id":1712,"event_guid":"import-79b1beb3f18e5edc5a","weight":1},{"event_id":1714,"event_guid":"import-b660dec4d932230337","weight":1},{"event_id":1719,"event_guid":"import-1975766c6d4f873c2c","weight":1},{"event_id":1736,"event_guid":"VFu55BmcslSk-0RC0SZioA","weight":1},{"event_id":1750,"event_guid":"jFlUl2VQF7jfm3M4V2Iuiw","weight":1},{"event_id":1798,"event_guid":"0wIAXwCTvHhMFKucqslNxg","weight":21},{"event_id":1806,"event_guid":"IE5aOu8FUaPfpFv5v4rtJg","weight":2},{"event_id":1815,"event_guid":"UukuTtIII9uGXGpeCCgKvg","weight":1},{"event_id":1832,"event_guid":"toykIIIHEXC1x8F7xoiYRw","weight":1},{"event_id":1844,"event_guid":"qkjXyXK2qXXjRYOUI9nT0Q","weight":21},{"event_id":1850,"event_guid":"n-OE9MQoWcUq2LFZB2e6DQ","weight":1},{"event_id":2156,"event_guid":"-n9QScyDLXMEwkqrCHASYw","weight":1},{"event_id":2162,"event_guid":"_lVlmBO98KMg4M-n-_A3FA","weight":1},{"event_id":2172,"event_guid":"ELK9-ZQeFcqKxBYW8eay8g","weight":1},{"event_id":2173,"event_guid":"13hAy7IIWod2RIuLMvnELw","weight":2},{"event_id":2190,"event_guid":"UqfjLnUNKqc6-WzUjP6YQg","weight":1},{"event_id":2199,"event_guid":"MBpSOQzfPD4ky0hqL6B-hg","weight":1},{"event_id":2216,"event_guid":"A8xVpIjX1oKQOQcWMt_49Q","weight":29},{"event_id":2224,"event_guid":"SkWIxKKgQFunVQAJT_oagA","weight":1},{"event_id":2291,"event_guid":"2f68e356-6c3f-4034-9640-c06d717ed96b","weight":8},{"event_id":2500,"event_guid":"6587bc79-27e5-4cf3-847b-77b0acc96682","weight":47},{"event_id":2817,"event_guid":"7430c969-7ccf-4d40-903a-d9b1ebb4fb15","weight":1},{"event_id":2825,"event_guid":"56721a59-30c0-4201-8744-5d2a9846ed28","weight":1},{"event_id":2826,"event_guid":"9ab1407a-126f-48d9-898d-eae7974324e9","weight":1},{"event_id":2837,"event_guid":"9f2e9ff0-1555-470b-8743-9f07f54e9097","weight":1},{"event_id":2863,"event_guid":"9f89d94f-07fd-47f4-9ad0-c8dda94de175","weight":1},{"event_id":2879,"event_guid":"3f61827f-8b17-47b4-a43c-e0dce6532cbe","weight":2},{"event_id":2882,"event_guid":"df35c860-60fc-4df8-801c-b2f4f91b33b8","weight":1},{"event_id":2884,"event_guid":"fb537cde-7f1d-484b-971b-1d30a543ecfb","weight":1},{"event_id":2890,"event_guid":"b7327513-182a-455a-932e-aab4791f5331","weight":3},{"event_id":2902,"event_guid":"930673b3-4f75-40eb-8be5-574469c3920f","weight":1},{"event_id":2922,"event_guid":"47cbd880-f500-4c44-b717-c11ed1da087d","weight":8},{"event_id":2941,"event_guid":"56126bd1-f1b3-4bc7-81be-304b6b681cde","weight":1},{"event_id":2951,"event_guid":"2e3d2878-e8b0-44cd-aea8-baf52be25ecf","weight":2},{"event_id":2969,"event_guid":"a4b72599-b24b-4890-85bb-4f3e24e452e2","weight":1},{"event_id":3596,"event_guid":"b8e0eb47-4832-4726-bc9b-9015bd96becf","weight":1},{"event_id":3597,"event_guid":"87092ad2-d3fd-4a37-bb58-1fe71217a06b","weight":1},{"event_id":3615,"event_guid":"74783236-46f4-493c-9574-1b27a44847b7","weight":1},{"event_id":3640,"event_guid":"700a07e7-a9c4-437b-a4c5-4491b23a9b4a","weight":1},{"event_id":3648,"event_guid":"8aaa55ad-b426-4d7a-8d46-f4b34a906eda","weight":1},{"event_id":3654,"event_guid":"ac80424a-f4dc-431d-95f3-3f85664ba2dc","weight":1},{"event_id":3661,"event_guid":"599ef527-fc3f-4474-8137-cf0e49cf118f","weight":1},{"event_id":3671,"event_guid":"4ef69e6a-026f-4b30-888d-af654b220a3d","weight":1},{"event_id":3689,"event_guid":"1f7eb981-2819-4824-8f40-4ddde0be7bf3","weight":1},{"event_id":3694,"event_guid":"ef62eb53-cb69-42c6-aab0-bc9d3b0e1e92","weight":1},{"event_id":3695,"event_guid":"c300b194-2a85-4705-92aa-b4e789882303","weight":1},{"event_id":3700,"event_guid":"b5be9501-88f1-4d9f-a5aa-269c8ff22d37","weight":1},{"event_id":3708,"event_guid":"aaec73e9-66b9-46d2-aa0f-9f43018198ea","weight":1},{"event_id":3712,"event_guid":"cb23378b-6db0-4e2f-a4c8-f5006a467ca3","weight":1},{"event_id":3721,"event_guid":"b092a437-b612-4887-ba55-f08ddfe333b9","weight":1},{"event_id":3723,"event_guid":"f1e2dc22-8925-4a8a-8cd3-4d03aa0e33b7","weight":1},{"event_id":3725,"event_guid":"c4211c94-7cea-457d-9214-7ccf5d7c89cc","weight":1},{"event_id":3728,"event_guid":"094b6119-b261-4750-89cf-43fed50eb679","weight":1},{"event_id":3732,"event_guid":"8270c91a-d6e2-4f1c-9ebb-cdf10708d921","weight":1},{"event_id":3734,"event_guid":"34ea8f1f-9fad-41aa-8424-e833f10e5e8b","weight":1},{"event_id":3739,"event_guid":"61677c86-8d83-4c30-9cf4-f7741e1a8798","weight":1},{"event_id":3749,"event_guid":"e26852ae-9efe-47a0-9e65-3bbd120f7422","weight":1},{"event_id":3752,"event_guid":"fc56c971-c65e-43ca-a92c-d98c7fb47bd6","weight":1},{"event_id":3760,"event_guid":"1c75e6a1-e586-4b91-abce-92a4561d0181","weight":9},{"event_id":3761,"event_guid":"b598ebbf-0fc6-4127-bb9d-20ae18f1171d","weight":1},{"event_id":3764,"event_guid":"b1a28d62-75e9-48de-bec9-44df4e611685","weight":1},{"event_id":3851,"event_guid":"a2b0d408-3f34-11e7-a2ff-b7e0ed5cc95f","weight":26},{"event_id":3853,"event_guid":"efeeaebc-3f29-11e7-9ba7-2f214305c877","weight":2},{"event_id":3894,"event_guid":"d7c3b762-a657-4670-a41b-3a8829a6bb13","weight":1},{"event_id":3896,"event_guid":"567b415b-22c0-4371-86e8-454ad43734f8","weight":1},{"event_id":4372,"event_guid":"01d07c5c-8a4e-4dbf-acf5-126d738a1ddf","weight":1},{"event_id":4762,"event_guid":"b036385c-ec1a-44e5-ae48-af703ce9b5d3","weight":1},{"event_id":4764,"event_guid":"da934433-0092-4749-b606-56b65e84214f","weight":1},{"event_id":4785,"event_guid":"4c4af291-e9ed-4dc9-8b2e-9062db9924fa","weight":3},{"event_id":4866,"event_guid":"117a52b4-f675-49dd-aafe-659c07b6bc9c","weight":2},{"event_id":4907,"event_guid":"1a4ac7bc-1ca5-4674-a736-38d796b0c36a","weight":1},{"event_id":4909,"event_guid":"03ba9edb-1d3a-4774-9384-7548c0696df7","weight":2}],"recordings":[{"size":225,"length":3270,"mime_type":"audio/mpeg","language":"eng","filename":"29c3-5400-en-hacking_cisco_phones_mp3.mp3","state":"downloaded","folder":"mp3-audio-only","high_quality":true,"width":720,"height":576,"updated_at":"2014-05-10T15:26:58.318+02:00","recording_url":"https://cdn.media.ccc.de/congress/2012/mp3-audio-only/29c3-5400-en-hacking_cisco_phones_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/3236","event_url":"https://api.media.ccc.de/public/events/import-4fd5a1fd16f55e0a18","conference_url":"https://api.media.ccc.de/public/conferences/29c3"},{"size":225,"length":3270,"mime_type":"video/mp4","language":"eng","filename":"29c3-5400-en-hacking_cisco_phones_h264.mp4","state":"downloaded","folder":"mp4-h264-HQ","high_quality":true,"width":720,"height":576,"updated_at":"2016-01-27T11:03:51.773+01:00","recording_url":"https://cdn.media.ccc.de/congress/2012/mp4-h264-HQ/29c3-5400-en-hacking_cisco_phones_h264.mp4","url":"https://api.media.ccc.de/public/recordings/3235","event_url":"https://api.media.ccc.de/public/events/import-4fd5a1fd16f55e0a18","conference_url":"https://api.media.ccc.de/public/conferences/29c3"},{"size":225,"length":3270,"mime_type":"video/webm","language":"eng","filename":"29c3-5400-en-hacking_cisco_phones_webm.webm","state":"downloaded","folder":"webm","high_quality":true,"width":720,"height":576,"updated_at":"2016-01-27T11:03:51.810+01:00","recording_url":"https://cdn.media.ccc.de/congress/2012/webm/29c3-5400-en-hacking_cisco_phones_webm.webm","url":"https://api.media.ccc.de/public/recordings/3234","event_url":"https://api.media.ccc.de/public/events/import-4fd5a1fd16f55e0a18","conference_url":"https://api.media.ccc.de/public/conferences/29c3"}]}