1 00:00:03,259 --> 00:00:06,650 hacker can actually listen to everything 2 00:00:06,650 --> 00:00:06,660 hacker can actually listen to everything 3 00:00:06,660 --> 00:00:08,720 hacker can actually listen to everything that's going on in in the room that the 4 00:00:08,720 --> 00:00:08,730 that's going on in in the room that the 5 00:00:08,730 --> 00:00:10,730 that's going on in in the room that the phone is in regardless of whether you're 6 00:00:10,730 --> 00:00:10,740 phone is in regardless of whether you're 7 00:00:10,740 --> 00:00:12,440 phone is in regardless of whether you're in a phone call or not hello my name is 8 00:00:12,440 --> 00:00:12,450 in a phone call or not hello my name is 9 00:00:12,450 --> 00:00:14,299 in a phone call or not hello my name is ante I am the founder and chief 10 00:00:14,299 --> 00:00:14,309 ante I am the founder and chief 11 00:00:14,309 --> 00:00:16,640 ante I am the founder and chief scientist of red balloon security so we 12 00:00:16,640 --> 00:00:16,650 scientist of red balloon security so we 13 00:00:16,650 --> 00:00:18,380 scientist of red balloon security so we took a Cisco phone we took it apart and 14 00:00:18,380 --> 00:00:18,390 took a Cisco phone we took it apart and 15 00:00:18,390 --> 00:00:20,960 took a Cisco phone we took it apart and we look at it not like a telephone but 16 00:00:20,960 --> 00:00:20,970 we look at it not like a telephone but 17 00:00:20,970 --> 00:00:23,150 we look at it not like a telephone but like a computer it has a handset as a 18 00:00:23,150 --> 00:00:23,160 like a computer it has a handset as a 19 00:00:23,160 --> 00:00:24,920 like a computer it has a handset as a screen and has a bunch of numbers you 20 00:00:24,920 --> 00:00:24,930 screen and has a bunch of numbers you 21 00:00:24,930 --> 00:00:27,650 screen and has a bunch of numbers you can dial but it also runs a whole lot of 22 00:00:27,650 --> 00:00:27,660 can dial but it also runs a whole lot of 23 00:00:27,660 --> 00:00:30,259 can dial but it also runs a whole lot of very vulnerable software we extracted 24 00:00:30,259 --> 00:00:30,269 very vulnerable software we extracted 25 00:00:30,269 --> 00:00:31,970 very vulnerable software we extracted the former that runs on that computer 26 00:00:31,970 --> 00:00:31,980 the former that runs on that computer 27 00:00:31,980 --> 00:00:34,490 the former that runs on that computer and we systematically mapped out things 28 00:00:34,490 --> 00:00:34,500 and we systematically mapped out things 29 00:00:34,500 --> 00:00:37,190 and we systematically mapped out things that look like vulnerabilities and over 30 00:00:37,190 --> 00:00:37,200 that look like vulnerabilities and over 31 00:00:37,200 --> 00:00:38,810 that look like vulnerabilities and over the course of two and a half months we 32 00:00:38,810 --> 00:00:38,820 the course of two and a half months we 33 00:00:38,820 --> 00:00:40,220 the course of two and a half months we figured out exactly where the 34 00:00:40,220 --> 00:00:40,230 figured out exactly where the 35 00:00:40,230 --> 00:00:41,930 figured out exactly where the vulnerabilities are in a portion of the 36 00:00:41,930 --> 00:00:41,940 vulnerabilities are in a portion of the 37 00:00:41,940 --> 00:00:44,630 vulnerabilities are in a portion of the system that we can reach as an attacker 38 00:00:44,630 --> 00:00:44,640 system that we can reach as an attacker 39 00:00:44,640 --> 00:00:48,020 system that we can reach as an attacker so what can someone do if they were able 40 00:00:48,020 --> 00:00:48,030 so what can someone do if they were able 41 00:00:48,030 --> 00:00:50,389 so what can someone do if they were able to exploit the software and the firm 42 00:00:50,389 --> 00:00:50,399 to exploit the software and the firm 43 00:00:50,399 --> 00:00:53,060 to exploit the software and the firm were running inside your phone well they 44 00:00:53,060 --> 00:00:53,070 were running inside your phone well they 45 00:00:53,070 --> 00:00:54,260 were running inside your phone well they can certainly listen to you when you're 46 00:00:54,260 --> 00:00:54,270 can certainly listen to you when you're 47 00:00:54,270 --> 00:00:55,549 can certainly listen to you when you're making phone calls they can probably 48 00:00:55,549 --> 00:00:55,559 making phone calls they can probably 49 00:00:55,559 --> 00:00:57,319 making phone calls they can probably figure out who you're calling and when 50 00:00:57,319 --> 00:00:57,329 figure out who you're calling and when 51 00:00:57,329 --> 00:00:59,450 figure out who you're calling and when but it goes way beyond that the 52 00:00:59,450 --> 00:00:59,460 but it goes way beyond that the 53 00:00:59,460 --> 00:01:01,819 but it goes way beyond that the microphone never turns off so the hacker 54 00:01:01,819 --> 00:01:01,829 microphone never turns off so the hacker 55 00:01:01,829 --> 00:01:04,130 microphone never turns off so the hacker can listen to every single thing that 56 00:01:04,130 --> 00:01:04,140 can listen to every single thing that 57 00:01:04,140 --> 00:01:06,350 can listen to every single thing that the phone here is 100% of the time 58 00:01:06,350 --> 00:01:06,360 the phone here is 100% of the time 59 00:01:06,360 --> 00:01:08,600 the phone here is 100% of the time without stop in order to pull off this 60 00:01:08,600 --> 00:01:08,610 without stop in order to pull off this 61 00:01:08,610 --> 00:01:10,730 without stop in order to pull off this attack and a lot of the other attacks 62 00:01:10,730 --> 00:01:10,740 attack and a lot of the other attacks 63 00:01:10,740 --> 00:01:12,469 attack and a lot of the other attacks we've disclosed over the years on IP 64 00:01:12,469 --> 00:01:12,479 we've disclosed over the years on IP 65 00:01:12,479 --> 00:01:14,630 we've disclosed over the years on IP phones you don't need physical access 66 00:01:14,630 --> 00:01:14,640 phones you don't need physical access 67 00:01:14,640 --> 00:01:16,160 phones you don't need physical access you can hit those vulnerabilities 68 00:01:16,160 --> 00:01:16,170 you can hit those vulnerabilities 69 00:01:16,170 --> 00:01:25,370 you can hit those vulnerabilities over the network remotely after we get 70 00:01:25,370 --> 00:01:25,380 over the network remotely after we get 71 00:01:25,380 --> 00:01:27,320 over the network remotely after we get access to the microphone we decided to 72 00:01:27,320 --> 00:01:27,330 access to the microphone we decided to 73 00:01:27,330 --> 00:01:29,780 access to the microphone we decided to do something more fun and we feed all 74 00:01:29,780 --> 00:01:29,790 do something more fun and we feed all 75 00:01:29,790 --> 00:01:32,539 do something more fun and we feed all that data into a speech-to-text engine 76 00:01:32,539 --> 00:01:32,549 that data into a speech-to-text engine 77 00:01:32,549 --> 00:01:35,359 that data into a speech-to-text engine and we tweet out the output of that so 78 00:01:35,359 --> 00:01:35,369 and we tweet out the output of that so 79 00:01:35,369 --> 00:01:36,890 and we tweet out the output of that so instead of having to listen to all these 80 00:01:36,890 --> 00:01:36,900 instead of having to listen to all these 81 00:01:36,900 --> 00:01:38,719 instead of having to listen to all these conversations you can just read it on 82 00:01:38,719 --> 00:01:38,729 conversations you can just read it on 83 00:01:38,729 --> 00:01:40,490 conversations you can just read it on Twitter cool so this demo was produced 84 00:01:40,490 --> 00:01:40,500 Twitter cool so this demo was produced 85 00:01:40,500 --> 00:01:42,740 Twitter cool so this demo was produced as part of a greater research into 86 00:01:42,740 --> 00:01:42,750 as part of a greater research into 87 00:01:42,750 --> 00:01:45,350 as part of a greater research into embedded device vulnerability and we're 88 00:01:45,350 --> 00:01:45,360 embedded device vulnerability and we're 89 00:01:45,360 --> 00:01:46,789 embedded device vulnerability and we're happy that we work very closely with 90 00:01:46,789 --> 00:01:46,799 happy that we work very closely with 91 00:01:46,799 --> 00:01:49,270 happy that we work very closely with Cisco in order for us to hand over the 92 00:01:49,270 --> 00:01:49,280 Cisco in order for us to hand over the 93 00:01:49,280 --> 00:01:51,319 Cisco in order for us to hand over the vulnerability we disclosed it to them 94 00:01:51,319 --> 00:01:51,329 vulnerability we disclosed it to them 95 00:01:51,329 --> 00:01:53,990 vulnerability we disclosed it to them and they were able to very quickly turn 96 00:01:53,990 --> 00:01:54,000 and they were able to very quickly turn 97 00:01:54,000 --> 00:01:56,240 and they were able to very quickly turn around an issue of a patch that fixed 98 00:01:56,240 --> 00:01:56,250 around an issue of a patch that fixed 99 00:01:56,250 --> 00:01:57,480 around an issue of a patch that fixed this specific secure 100 00:01:57,480 --> 00:01:57,490 this specific secure 101 00:01:57,490 --> 00:01:59,550 this specific secure problem I'm really happy to say that 102 00:01:59,550 --> 00:01:59,560 problem I'm really happy to say that 103 00:01:59,560 --> 00:02:02,219 problem I'm really happy to say that Cisco has updated the form around this 104 00:02:02,219 --> 00:02:02,229 Cisco has updated the form around this 105 00:02:02,229 --> 00:02:04,649 Cisco has updated the form around this phone so that specific vulnerability is 106 00:02:04,649 --> 00:02:04,659 phone so that specific vulnerability is 107 00:02:04,659 --> 00:02:07,499 phone so that specific vulnerability is no longer there in the IP phones that 108 00:02:07,499 --> 00:02:07,509 no longer there in the IP phones that 109 00:02:07,509 --> 00:02:08,790 no longer there in the IP phones that have been updated so there are a few 110 00:02:08,790 --> 00:02:08,800 have been updated so there are a few 111 00:02:08,800 --> 00:02:11,160 have been updated so there are a few problems with this one according to the 112 00:02:11,160 --> 00:02:11,170 problems with this one according to the 113 00:02:11,170 --> 00:02:12,479 problems with this one according to the research that we put out 114 00:02:12,479 --> 00:02:12,489 research that we put out 115 00:02:12,489 --> 00:02:15,540 research that we put out very few people update firmware this is 116 00:02:15,540 --> 00:02:15,550 very few people update firmware this is 117 00:02:15,550 --> 00:02:18,089 very few people update firmware this is not hopefully this isn't news to you you 118 00:02:18,089 --> 00:02:18,099 not hopefully this isn't news to you you 119 00:02:18,099 --> 00:02:20,160 not hopefully this isn't news to you you probably like everyone else don't want 120 00:02:20,160 --> 00:02:20,170 probably like everyone else don't want 121 00:02:20,170 --> 00:02:22,830 probably like everyone else don't want to update all of the devices firmware as 122 00:02:22,830 --> 00:02:22,840 to update all of the devices firmware as 123 00:02:22,840 --> 00:02:24,570 to update all of the devices firmware as soon as they come out and in fact the 124 00:02:24,570 --> 00:02:24,580 soon as they come out and in fact the 125 00:02:24,580 --> 00:02:26,190 soon as they come out and in fact the world is really bad at keeping the 126 00:02:26,190 --> 00:02:26,200 world is really bad at keeping the 127 00:02:26,200 --> 00:02:28,020 world is really bad at keeping the firmware of embedded devices up-to-date 128 00:02:28,020 --> 00:02:28,030 firmware of embedded devices up-to-date 129 00:02:28,030 --> 00:02:30,930 firmware of embedded devices up-to-date so even if the vendor issues a security 130 00:02:30,930 --> 00:02:30,940 so even if the vendor issues a security 131 00:02:30,940 --> 00:02:33,449 so even if the vendor issues a security patch for the Cisco phone the chances 132 00:02:33,449 --> 00:02:33,459 patch for the Cisco phone the chances 133 00:02:33,459 --> 00:02:35,970 patch for the Cisco phone the chances that all of the world have applied this 134 00:02:35,970 --> 00:02:35,980 that all of the world have applied this 135 00:02:35,980 --> 00:02:38,670 that all of the world have applied this patch is very low the second thing is 136 00:02:38,670 --> 00:02:38,680 patch is very low the second thing is 137 00:02:38,680 --> 00:02:41,340 patch is very low the second thing is this is not a special case we looked at 138 00:02:41,340 --> 00:02:41,350 this is not a special case we looked at 139 00:02:41,350 --> 00:02:43,860 this is not a special case we looked at a number of other IP phones and we did 140 00:02:43,860 --> 00:02:43,870 a number of other IP phones and we did 141 00:02:43,870 --> 00:02:45,690 a number of other IP phones and we did not find a single IP phone that didn't 142 00:02:45,690 --> 00:02:45,700 not find a single IP phone that didn't 143 00:02:45,700 --> 00:02:47,670 not find a single IP phone that didn't fundamentally have security 144 00:02:47,670 --> 00:02:47,680 fundamentally have security 145 00:02:47,680 --> 00:02:49,140 fundamentally have security vulnerabilities that could allow the 146 00:02:49,140 --> 00:02:49,150 vulnerabilities that could allow the 147 00:02:49,150 --> 00:02:51,270 vulnerabilities that could allow the attacker to achieve exactly what you're 148 00:02:51,270 --> 00:02:51,280 attacker to achieve exactly what you're 149 00:02:51,280 --> 00:02:53,699 attacker to achieve exactly what you're seeing here on those phones so if you 150 00:02:53,699 --> 00:02:53,709 seeing here on those phones so if you 151 00:02:53,709 --> 00:02:55,229 seeing here on those phones so if you have an IP phone on your desk right now 152 00:02:55,229 --> 00:02:55,239 have an IP phone on your desk right now 153 00:02:55,239 --> 00:02:57,509 have an IP phone on your desk right now chances are there are known 154 00:02:57,509 --> 00:02:57,519 chances are there are known 155 00:02:57,519 --> 00:02:59,339 chances are there are known vulnerabilities that will allow an 156 00:02:59,339 --> 00:02:59,349 vulnerabilities that will allow an 157 00:02:59,349 --> 00:03:01,320 vulnerabilities that will allow an attacker to do exactly what we're 158 00:03:01,320 --> 00:03:01,330 attacker to do exactly what we're 159 00:03:01,330 --> 00:03:03,420 attacker to do exactly what we're showing you is possible on the Cisco 160 00:03:03,420 --> 00:03:03,430 showing you is possible on the Cisco 161 00:03:03,430 --> 00:03:04,130 showing you is possible on the Cisco phone 162 00:03:04,130 --> 00:03:04,140 phone 163 00:03:04,140 --> 00:03:11,040 phone [Music]