Security Analysis of an IP Phone: Cisco 7960G

  • Italo Dacosta
  • Neel Mehta
  • Evan Metrock
  • Jonathon Giffin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5310)


IP phones are an essential component of any VoIP infrastructure. The hardware constraints and newness of these devices, as compared to mature desktop or server systems, lead to software development focused primarily on features and functionality rather than security and dependability. While several automated tools exist to test the security of IP phones, these tools have limitations and can not provide a strong guarantee that a particular IP phone is secure.

Our work evaluates the attack resilience of a widely deployed IP phone, the Cisco 7960G, employing techniques such as: vulnerability scans, fuzz tests, and static binary analysis. While the first two techniques found no vulnerabilities, the static analysis of the firmware image revealed critical vulnerabilities and fundamental software design flaws. We conclude that security designs proven useful in desktop and server software architectures should similarly appear as part of the software design for devices such as IP phones.


VoIP security IP phone static binary analysis embedded system security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, A.G.: Improvement in telegraphy. United States Patent #174,465 (March 1876)Google Scholar
  2. 2.
    Prevelakis, V., Spinellis, D.: The Athens affair. IEEE Spectrum 44(7) (July 2007)Google Scholar
  3. 3.
    Arkin, O.: The trivial Cisco IP phones compromise. Whitepaper, The Sys-Security Group (September 2002)Google Scholar
  4. 4.
    Cisco Security Advisory: Cisco unified IP phone overflow and denial of service vulnerabilities (2008),
  5. 5.
    Cisco Press Release: Cisco sells its 6 millionth IP phone as worldwide demand soars for IP communications (September 2005)Google Scholar
  6. 6.
    Kuhn, D., Walsh, T., Fries, S.: Security Considerations for Voice Over IP Systems. US Dept. of Commerce, National Institute of Standards and Technology (2005)Google Scholar
  7. 7.
    Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison-Wesley, Reading (2004)Google Scholar
  8. 8.
    Raghunathan, A., Ravi, S., Hattangady, S., Quisquater, J.-J.: Securing mobile appliances: new challenges for the system designer. In: Design, Automation and Test in Europe, Munich, Germany (March 2003)Google Scholar
  9. 9.
    Kocher, P., Lee, R., McGraw, G., Raghunathan, A., Ravi, S.: Security as a new dimension in embedded system design. In: Design Automation Conference, San Diego, CA (June 2004)Google Scholar
  10. 10.
    Secunia: Cisco IP phone 7960—vulnerability report (2007),
  11. 11.
    VoIPSA: Voip security tool list (2007),
  12. 12.
    Abdelnur, H., State, R., Festor, O.: KiF: A stateful SIP fuzzer. In: 1st International Conference on Principles, Systems and Applications of IP Telecommunications (IPTComm), New York (July 2007)Google Scholar
  13. 13.
  14. 14.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: RFC3261: SIP: Session initiation protocol (2002)Google Scholar
  15. 15.
    Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Communications of the ACM 33(12) (December 1990)Google Scholar
  16. 16.
    State, R.: Cisco phone 7940 remote DOS. CVE-2007-5583 (2007)Google Scholar
  17. 17.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium, San Antonio, TX (January 1998)Google Scholar
  18. 18.
    Fogie, S.: Embedded reverse engineering: Cracking mobile binaries. In: Defcon 11, Las Vegas, NV (2003)Google Scholar
  19. 19.
    Abdelnur, H., State, R., Chrisment, I., Popi, C.: Assessing the security of VoIP services. In: 10th IFIP/IEEE International Symposium on Integrated Network Management, Munich, Germany (May 2007)Google Scholar
  20. 20.
    McGann, S., Sicker, D.C.: An analysis of security threats and tools in SIP-based VoIP systems. In: 2nd Workshop on Securing Voice over IP, Cyber Security Alliance, Washington, DC (June 2005)Google Scholar
  21. 21.
    San.: Hacking Windows CE. In: Defcon 13, Las Vegas, NV (2005)Google Scholar
  22. 22.
    Hurman, T.: Exploring Windows CE shellcode. Whitepaper, Pentest Limited (June 2005)Google Scholar
  23. 23.
    Mulliner, C.: Advanced attacks against PocketPC phones. In: Defcon 14, Las Vegas, NV (2006)Google Scholar
  24. 24.
    FX.: Attacking networked embedded systems. In: Black Hat Windows Security, Seattle, WA (February 2003)Google Scholar
  25. 25.
    FX.: More embedded systems. In: Black Hat USA, Las Vegas, NV (July 2003)Google Scholar
  26. 26.
    Lynn, M.: The holy grail: Cisco IOS shellcode and exploitation techniques. In: Black Hat USA, Las Vegas, NV (July 2005)Google Scholar
  27. 27.
    Barnaby, J.: Exploiting embedded systems. In: Black Hat Europe, Amsterdam, Netherlands, February/March (2006)Google Scholar
  28. 28.
    Grand, J.: Introduction to embedded security. In: Black Hat USA, Las Vegas, NV (July 2004)Google Scholar
  29. 29.
    O’Connor, B.: Vulnerabilities in not-so embedded systems. In: Black Hat USA, Las Vegas, NV, July/August (2006)Google Scholar
  30. 30.
    Verma, A.: IP phone security: Packet filtering protection against attacks. Texas Instruments White Paper (2006)Google Scholar
  31. 31.
    Shao, Z., Xue, C., Zhuge, Q., Qiu, M., Xiao, B., Sha, E.H.M.: Security protection and checking for embedded system integration against buffer overflow attacks via hardware/software. IEEE Transactions on Computers 55(4) (April 2006)Google Scholar
  32. 32.
    Arora, D., Ravi, S., Raghunathan, A., Jha, N.K.: Hardware-assisted run-time monitoring for secure program execution on embedded processors. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 14(12) (December 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Italo Dacosta
    • 1
  • Neel Mehta
    • 1
  • Evan Metrock
    • 1
  • Jonathon Giffin
    • 1
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyUSA

Personalised recommendations