Cisco confirms that an attacker with valid Extension Mobility
authentication credentials could cause a Cisco Unified IP Phone configured to
use the Extension Mobility feature to transmit or receive a Real-Time Transport
Protocol (RTP) audio stream. This ability can be exploited to perform a remote
eavesdropping attack. All Cisco IP Phones that support the Extension Mobility
feature are vulnerable.
For this attack to be possible, several conditions need to be
The internal web server of the IP phone must be enabled. The web
server is enabled by default.
The IP phone must be configured to use the Extension Mobility
feature, which is not enabled by default.
The attacker must possess or obtain valid Extension Mobility
Extension Mobility authentication credentials are not tied to
individual IP phones. Any Extension Mobility account configured on an IP
phone's Cisco Unified Communications Manager/CallManager (CUCM) server can be
used to perform an eavesdropping attack.
To obtain Extension Mobility authentication credentials, an attacker
needs physical access to the network to sniff credentials. This can be
accomplished by inserting a sniffing device between an IP phone and switch
Before eavesdropping can occur, the user who is logged into the IP
phone via Extension Mobility must first be logged off of the IP phone. This can
be accomplished by sending an Extension Mobility logout message to the IP
phone's Cisco Unified Communications Manager/CallManager (CUCM) server.
If exploitation is successful, any IP phone that is undergoing an
eavesdropping attack will have its speaker phone status light enabled, and the
phone will display an off-hook icon that indicates an active call is in
progress. Internal testing by Cisco also revealed that the described attack
produced static noise on the IP phone while it was under attack.
There are workarounds to combat this attack:
Disable the internal web server on IP phones.
Disable the Extension Mobility feature on IP phones.
Disable the speaker phone / headset functionality on IP
This attack can also be mitigated by restricting access to the internal
web server of IP phones (TCP port 80) using an transit access control list
(tACL). For more information on transit access control lists, reference this
For more information about Cisco-recommended best practices for
securely deploying Cisco Unified IP Phones, reference this link: