As if Cisco needs any more negative publicity in light of the company’s recent developments… Reorganizing its consumer business, killing off Flip, missed earnings, layoff projections, and CEO John Chambers in the hot seat:
Now security researchers have demonstrated how easy it is to attack Cisco IP phones out-of-the-box to intercept calls or cause service disruptions via distributed denial-of-service (DDoS) methods. The vulnerability lies in the phone’s web service capabilities — a feature that Cisco recommends disabling in the user manual.
But who reads the manual in the real world, right? ITelecom administrators usually just open the box, take the phone out, and plug it into an Ethernet port. Done. That’s the beauty of the IP phone, as they’d say.
These IP phones are more prevalent in businesses now, in the office and even in the contact center where personal and often private data are handled. Such a security weakness in the phone should be taken seriously as there could be severe legal repercussions with leaked private information, or worse yet, finding out one day that all the phones in the company are out of service.
The best practice should be to harden these IP phones just as you would to a PC workstation. Things such as disabling certain services, configuring the firewall, etc. should not be overlooked.