Big Box Electronics Retailer has Vulnerable Cisco IP phones connected to their POS systems

You only have to go as far as your neighborhood electronics store to see poor Security practice. I snapped this photo below yesterday:


What’s wrong here, you ask? Well ,a couple of things. This particular Cisco phone was end of life in 2009, see link for verification:

http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-526372.html

End of life in 2009 means that Cisco is no longer writing security patches or software updates for the phone since that time.  And because Cisco IP phones basically act as a 2 port switch, what this is at its most basic is a 11/12 year old network switch, one little blue ethernet cord going into the Electronic retailer’s internal network; and the other little blue cord going to the POS system.

Second, Cisco phone set ups like this [ where the phone is acting as a switch for another network endpoint/host ]  are actually poor choices for customer facing kiosks and counters due to the fact that the design exposes a physical ethernet port to the public and is open to tampering. Here, this poor choice has been compounded by the fact that this particular Electronics retailer has not engaged in a badly needed hardware refresh for 9 years, making the phone itself a target for a number of known public hacks.

To mitigate this; any Cisco phone that acts as a customer phone / public / lobby phone should not have another endpoint connected; and furthermore; the 2nd network port can and should be disabled on that phone. ( Cisco does allow the 2nd port to be disabled )

In this case, where the phones are obviously for both store employee AND customer access; any way to physically wall-off or protect those network ports from tampering would assist in mitigation. ( I’ve heard of people actually supergluing the ethernet cables in the phone ). Truth is, the over-all design of using of the 2nd ethernet port to connect to the POS system in area that is clearly accessible to the public was a huge disservice to this particular retailer by the vendor/company that sold them that design, regardless of how old the IP phone is. That second port on the phone is really meant to be used inside secure office buildings, at cubicles, in employer offices with their own physical controls in place..e.g.,  areas not accessible to the public.

These 7940 and 7960 phones were all over the store, connected to store POS systems, not just at the counter where I snapped the photo. Although theft customer credit card data does not really seem to raise eyebrows these days; so I will not go into that so much…,  however, I will touch on the point that these systems are used by employees to access all store inventory; [ e.g., at a fundamental level, modify a database and attributes of objects in a database ]. Anyone with knowledge of these systems could easily gain access by placing a remote tap on the ethernet port when no one is watching and with some work and a little reconnaissance, pretty much own the entire database. Worst case scenario, yes, but that is what I see in the picture above.

Until next time!

Advertisements
This entry was posted in Cisco, Physical Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s