That’s the lesson of a demonstration hackers Brandon Edwards and Ben Nell have planned for the Summercon security conference in New York today. After months of research that began with Edwards’ quest to avenge a coworker’s hazing, Edwards and Nell found vulnerabilities in a common desktop telephone that let them take control of it from any computer on the local network. With the phone fully under their command, they’ve made it perform mischief ranging from playing audio files to displaying pictures of their choosing.
Good natured pranks aside, their work shows the potential for more nefarious hacks like surreptitiously recording conversations or sniffing traffic from a connected PC.
“It’s a relatively simple device once you’re inside of it,” says Edwards. “We can make it do pretty much anything a phone can do.”
When Edwards started his job as a researcher at cloud security firm SilverSky in January, he says, a coworker sent a lewd email as a prank, then claimed the note was written by someone who’d accessed his keyboard. Edwards says he responded by spoofing an email from that guy to his boss, seeking enrollment in an HR training class on sexual harassment.
Still, Edwards wasn’t satisfied, however, and began daydreaming about a more epic retaliation involving the phone on his coworker’s desk. He called up his friend Nell, a security researcher and reverse engineering guru who immediately hit eBay to order the same phone used in Edwards’ office. Working together, Nell and Edwards found a debugging port on the back of the phone, spliced a connection to their laptops, and dumped the device’s memory. They soon discovered, as Nell puts it, “a mountain of bugs.”
“It was like you were in a room full of bugs, and you couldn’t not step on them,” he says. Among the plentiful coding errors was one that allowed them to execute what’s known as a buffer overflow, a type of exploit that allows them to write into the phone’s memory and execute arbitrary commands without any limits to their user privileges.
Nell and Edwards asked WIRED to withhold the name of the phone vendor whose coding flaws they uncovered and say they won’t reveal it during their demonstration. They have not yet told the manufacturer about their tests and would like to avoid generating controversy for their employers. But Edwards speculates that the phone they targeted isn’t any more vulnerable than others; most desktop phone manufacturers, he says, depend upon the obscurity of their code, as opposed to any real security, to keep hackers at bay. “Everyone from Cisco to Polycom to Avaya to Shoretel likely have similar issues,” he says.
In a preview of their conference demonstration for WIRED, Nell and Edward showed that they were able to hijack the target phone—with only an ethernet connection to their laptop—to simulate the hijinks they might inflict on a coworker. (A portion of that demonstration is shown in the video above, with electrical tape used to mask the phone’s brand and model.) They typed text that appeared on the phone’s screen, writing “Knock, knock, neo” in a Matrix reference. They made the phone display images like a skull and a smiley face. They played audio files like “shall we play a game?” from the 1983 film War Games. For a creepy finale, they had the phone play a 30-second clip of my own voice pulled from YouTube.
Nell and Edwards say they’ve only started exploring what else they’re able to do with the phone, but believe they could use it for tricks with less prankish security consequences, like turning on its speakerphone mic to record audio while disabling the LED indicator that might alert users. They also point out that many offices simplify their networking setup by plugging computers’ ethernet cables into deskphones instead of wall ports. Install spyware on the phone, and you could likely use it to eavesdrop on all the traffic sent to and from a connected PC. “If you’re able to get onto a device like this and execute whatever code you want, you can turn it into a personal network tap,” says Nell.
All of those attacks, Nell and Edwards admit, would first require access to the company’s internal network. But if a hacker could gain an initial foothold, say by sending a spear phishing email with a malware-laden link that took over a staffer’s computer, a vulnerable deskphone might make a useful secondary target in that spying campaign.
Edwards, meanwhile, is still limiting his phone-hacking targets to his coworkers. He’s still planning to hijack the deskphone of his officemate as soon as his exploit is perfected, and says he’s even received permission from his company’s senior executives. Some unwitting sales guy is in for a nasty surprise. A workplace tip: If you’re planning an office prank war, don’t target someone with the skills to reverse-engineer and control the phone on your desk.