According to Science Daily, computer scientists at Colombia University's Engineering department analyzed the firmware of VOIP (Voice Over Internet Protoccol) phones, found vulnerabilities, and identified a possible fix to the data breach risks. The researchers were Ang Cui, a Computer Science PhD candidate, and Salvatore Stolfo, a Computer Science Professor.
Their research was funded by the Defense Advanced Research Projects Agency (DARPA), the Intelligence Advanced Research Projects Activity (IARPA), and the Department of Homeland Security (DHS). The vulnerabilities increase the risk of corporate espionage and data breaches of sensitive corporate and personal information:
"At a recent conference on the security of connected devices, Cui demonstrated how they can easily insert malicious code into a Cisco VoIP phone (any of the 14 Cisco Unified IP Phone models) and start eavesdropping on private conversations -- not just on the phone but also in the phone's surroundings -- from anywhere in the world... It's not just Cisco phones that are at risk. All VoIP phones are particularly problematic... [the researchers] are particularly concerned with embedded systems that are widely used and networked on the Internet, including VoIP phones, routers, and printers..."
The vulnerability is not new as researchers in Australia raised the issue in May 2011. What is new is the possible fix identified by Cui and Stolfo:
"Software Symbiotes is designed to safeguard embedded systems from malicious code injection attacks into these systems, including routers and printers... The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defenses..."
This is very important because VOIP phones are used by both corporations and consumers. For consumers, a hacked VOIP phone could mean more spam and phishing attacks via your VOIP phone. This data breach risk is troublesome also for SOHO businesses (e.g., attorneys, accountants) where privacy is critical.
Important research like this needs consistent and uninterrupted funding. Just as you are reading about this subject, so too are criminals. Let's hope that future tests confirm this new fix.