Wired Magazine’s Andy Greenberg reports how a researcher at security firm SilverSky, along with a friend who was a reverse engineering tech, were able to hack a coworker’s phone to play pranks on him to get revenge for some pranking he had done. This resulted in a presentation for the Summercon security conference in New York.
The hacking they perform requires access to the internal company network that the the VOIP phones are working on. They discovered a number of bugs that could lead to more nefarious hacks.
An office deskphone hacked via ethernet to show an image on its screen. The phone has been covered in electrical tape and paper to obscure its model. Photo: Andy Greenberg/WIRED
A workplace tip: If you’re planning an office prank war, don’t target someone with the skills to reverse-engineer and control the phone on your desk.
That’s the lesson of a demonstration hackers Brandon Edwards and Ben Nell have planned for the Summercon security conference in New York today. After months of research that began with Edwards’ quest to avenge a coworker’s hazing, Edwards and Nell found vulnerabilities in a common desktop telephone that let them take control of it from any computer on the local network. With the phone fully under their command, they’ve made it perform mischief ranging from playing audio files to displaying pictures of their choosing.
Good natured pranks aside, their work shows the potential for more nefarious hacks like surreptitiously recording conversations or sniffing traffic from a connected PC.
“It’s a relatively simple device once you’re inside of it,” says Edwards. “We can make it do pretty much anything a phone can do.”
When Edwards started his job as a researcher at cloud security firm SilverSky in January, he says, a coworker sent a lewd email as a prank, then claimed the note was written by someone who’d accessed his keyboard. Edwards says he responded by spoofing an email from that guy to his boss, seeking enrollment in an HR training class on sexual harassment.
Still, Edwards wasn’t satisfied, however, and began daydreaming about a more epic retaliation involving the phone on his coworker’s desk. He called up his friend Nell, a security researcher and reverse engineering guru who immediately hit eBay to order the same phone used in Edwards’ office. Working together, Nell and Edwards found a debugging port on the back of the phone, spliced a connection to their laptops, and dumped the device’s memory. They soon discovered, as Nell puts it, “a mountain of bugs.”
“It was like you were in a room full of bugs, and you couldn’t not step on them,” he says. Among the plentiful coding errors was one that allowed them to execute what’s known as a buffer overflow, a type of exploit that allows them to write into the phone’s memory and execute arbitrary commands without any limits to their user privileges.
Nell and Edwards asked WIRED to withhold the name of the phone vendor whose coding flaws they uncovered and say they won’t reveal it during their demonstration. They have not yet told the manufacturer about their tests and would like to avoid generating controversy for their employers. But Edwards speculates that the phone they targeted isn’t any more vulnerable than others; most desktop phone manufacturers, he says, depend upon the obscurity of their code, as opposed to any real security, to keep hackers at bay. “Everyone from Cisco to Polycom to Avaya to Shoretel likely have similar issues,” he says.