[ad_1]
Cui watero lived for 10 years to rip them Internet-connected phones and “other integrated devices” – that is, devices that do not look such as computers or servers but has all the advantages: processor, memory, and, often, the ability to connect to other devices or the internet. As the founder of Red Balloon Security, Cui spends a lot of time searching for high-performance industrial and satellite equipment, yet goes back to IP phones as a barometer on what happened to find the Internet of Things. His latest research shows that there is still a long way to go.
At a secret SummerCon meeting in New York City on Friday, Cui and her Red Balloon counterpart Yuanzhe Wu present new risk-related information to more than a dozen examples of Cisco IP phones. It can be used only if a person is able to use the device they want, but if the attacker is able to do this, he can still make the right call, which he can use for listening to phones, connecting to a nearby room, or other bad stuff.
“Cisco has released software updates on this issue and is unaware of any abuse of the aforementioned risk,” a Cisco spokesman told WIRED in a statement. security information the company announced Wednesday.
However, Red Balloon researchers say the Cisco patch does not eliminate all threats; it just makes the virus harder to use. This is because the risk they have identified is not in the process that Cisco can rewrite or correct. Instead, it comes in a very low-end firmware developed by chipmaker Broadcom for processors that Cisco uses as a hardware security supplement. This also means that the same risk exists in other integrated devices that use chips that are integrated with Broadcom.
Broadcom did not return a number of requests from WIRED for comment, but Cisco said Wednesday that the fault lies in the installation of the Broadcom firmware.
“Look, we’ve all been here with me to expose IP bugs in Cisco, and they’ve come a long way in many ways,” Cui told WIRED ahead of SummerCon. “But the danger here is not surprising. In the end, these things are less secure than 10 years ago. “
Red Balloon Security investigators tested security on the Cisco 8841 phone, which is equipped with a Broadcom BCM 911360 TrustZone device that is specially designed to have a “secure root” of the phone. Zida roots of dependence it can enhance the overall security of the device. Microsoft, for example, right now making a big push for users to take it as part of the requirements of Windows 11. The concept is to add another device that uses the default and cannot be changed by the main processor of the device. In this way, TrustZone can be trusted to monitor the entire system and use security as a boot monitor without the risk that they too are damaged.
Trusted weapons can be upgraded to make the defense safer, but in doing so they also create a “guardian”. If there are any problems with the hardware security, it will significantly reduce the reliability of the entire device.
The Broadcom device that the researchers studied in Cisco phones has a software interface that allows for minimal communication over features such as setting up device applications. The investigators found an error in the API, which could have allowed the attackers to trick them into making rules that should not be allowed.
[ad_2]
Source link
