Mass Call Record Collection – Cisco IP Phones
This article will demonstrate how to perform a mass collection of all phone records in an enterprise from many popular series of Cisco IP Phones and how to prevent it.
Many of the Cisco IP Phone series have a built-in web server that allows users and admins to “view the phone statistics and modify some or all the parameters”. In most modern phone series, Cisco has this web server disabled by default to “enhance security”. For those that are enabled, either by default or through a configuration change (ex. via CUCM or the phone), there is a certain level of access that is allowed without authentication.
To see a few live examples, Google: “Cisco Unified IP Phone” “Console Logs” “Current Logs In”. Note: use all three quoted phrases, after the colon, in your search and 100% of the results will be publicly accessible Cisco IP Phones.
Another example Google search: inurl:”/CGI/Java/Serviceability”.
In our experience, it is common to see this embedded web server enabled on not only Cisco IP phones, but also other brands of IP Phones.
“So what? What’s the danger?” you may ask.
There is a wealth of data that can typically be seen through these embedded web interfaces – phone number, user’s name, various system debug logs, etc. Within the debug logs, such as the Console Logs, are various system details as well as call record details.
Inside those console logs, we can see SIP/call records (ex. phones numbers and date):
During certain engagements, PEN Consultants has the need to collect all accessible console logs across an enterprise and parse out each unique phone call record in order to demonstrate the impact of these open web interfaces. To automate the process, we created a simple script, which allows us to collect thousands of call records from hundreds of phones in just a few minutes.
We are making that script publicly available for other security professionals to use during their engagements: https://gitlab.com/J35u5633k/ipphones_public
We will continue to expand on this script during future engagements in order to collect internal user names, caller ID, call length, etc.
Ensure the configuration options that Cisco provides are securely configured:
- If the web interface is not needed, disable it. If it is needed, restrict access with a password – preferably a unique password per phone/user.
- If possible, disable the Console Log feature.
- Depending on usage requirements, consider moving the phones to a different VLAN. This would not only help limit access, but could aide in quality of service (ex. prioritize VoIP traffic over workstation).
- More information: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_01110.html
Featured image is a derivative work from the following images: ElasticComputeFarm @ https://pixabay.com/photos/telephone-technical-support-cisco-1223310/