Governments are actively spying on people’s smartphones. Your car’s infotainment system can now be hacked. And cybercriminals are actively stealing credit card numbers from other cybercriminals.

These were among the uplifting subjects presented at this week’s Kaspersky Annual Summit in San Juan, P.R. (Kaspersky Labs, the Russian company that holds the conference, requires that presenters take shots of rum after each talk, perhaps to deal with the stress).

One of the scarier presentations was delivered by Ang Cui, a Columbia Ph.D. student, who demonstrated how to spy on calls made with Cisco’s VoIP phone. Yes, that is the same phone pictured here next to President Obama aboard Air Force One.

Photo

In Mr. Cui’s presentation — titled “Just because you are paranoid doesn’t mean your phone isn’t listening to everything you say” — he demonstrated how to exploit a loophole in the phone’s kernel, the core of its operating system that manages communication between a device’s hardware and software. By doing so, Mr. Cui could spy on the phone remotely, turning it into a listening device. Using Google’s voice-to-text translation feature, he demonstrated how he could transcribe any call and even search for keywords, like “nuclear” or “missile strike.”

“There’s no defense against this,” Mr. Cui told the audience. “Every single Cisco phone in the world has this vulnerability.”

Mr. Cui and his adviser, Salvatore J. Stolfo, informed Cisco of the vulnerability last October. Two days later, Cisco confirmed the problem and within a week issued a fix.

But almost immediately, Mr. Cui told Cisco he had found five ways around the patch. Three weeks later, on Nov. 20th, Cisco released a new patch. (Curiously, the patch was not available for download from Cisco’s Web site. To get it, you had to call Cisco customer support and request the patch by name.)

But once again, Mr. Cui found a way around it. Since then, Cisco seems to have given up, leaving 50 million of its phones vulnerable to spying.

Cisco declined to comment. But in a statement last November it said: “We can confirm that workarounds and a software patch are available to address this vulnerability, and note that successful exploitation requires physical access to the device serial port, or the combination of remote authentication privileges and non-default device settings.”

Mr. Cui said he had been working on his own fix — with funds from the Defense Advanced Research Projects Agency, or DARPA — and plans to introduce it at the RSA security conference in San Francisco later this month.