Security researchers have designed a stealthy eavesdropping attack that sounds like it's straight out of a James Bond movie. It starts with a booby-trapped document that compromises an unpatched laser printer, which in turn converts a popular Internet phone into a covert bugging device.

The proof-of-concept attack exploits currently unpatched vulnerabilities in the Avaya one-X 9608, a popular model of phone that uses the Internet rather than a standard phone line to make and receive calls. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, declined to provide many details on the vulnerabilities until users have had time to install a patch that Avaya is expected to release soon. He did say the weaknesses allow devices on the same local network to remotely execute code that causes the device to surreptitiously record all sounds within earshot and transmit them to a server controlled by attackers. He demonstrated a similar bugging vulnerability last year in competing Internet phones designed by Cisco Systems, which has since patched the underlying bugs.

Cui, who is scheduled to present his research Friday at the RSA security conference in San Francisco, said the attack underscores the growing susceptibility of phones, routers, and other embedded devices to the types of malware attacks that once threatened only computers. He and Salvatore Stolfo, who is a Columbia University professor of computer science and a Red Balloon director, have devised software dubbed Symbiote, which runs on Internet phones and other embedded devices and alerts users whenever changes are made to the firmware. Symbiote is part of a larger defense the pair has developed called AESOP, short for the Advanced Embedded Sec Ops.

The compromise begins with a booby-trapped document that when printed executes malicious code on certain models of HP LaserJet printers that have not been patched against a critical vulnerability. Once compromised, the printers connect to attack servers, creating a means for outside hackers to bypass corporate firewalls. The attackers then use the printers as a proxy to enumerate and connect to other devices in the corporate network.

Once an Avaya 9608 phone is discovered, the attackers can inject code into it that infects its firmware. The compromise, which survives reboots, activates the phone's microphone without turning on any lights or otherwise giving any indication that anything is amiss. The infected phones can be set up to record conversations only after attacker-chosen keywords are detected. Recorded conversations can be sent through a corporate network onto the open Internet, but the malware also has a secondary method for exfiltration that bypasses any devices that block suspicious network traffic. In the event that such devices are detected, the malware can turn a phone's circuit board into a radio transmitter that sends the recorded conversations to a receiver that's anywhere from several inches to 50 feet away, depending on environmental variables.

A sign of things to come

The big disadvantage to the attack being demonstrated Friday is its reliance on specific printer and phone vulnerabilities since it works against such a tiny fraction of devices. The larger point is that bugs in electronics firmware are notoriously easy to exploit, as a small shows . Even if a target isn't using the phones or printers featured in the demonstration, chances are good that the target is using some constellation of devices that are susceptible to remote hijacking. And besides, many organizations fail to apply firmware updates, so even if a patch has been released, there's a good chance that it will never get installed on many vulnerable devices.

For most of the past two decades, software exploiters have focused most of their talent on compromising computers, the vast majority of which ran Microsoft operating systems. Now that modern versions of Windows are becoming much harder to commandeer, hackers are turning their attention to newer devices. There's a dizzying array of defenses against attacks on computers. By contrast, there are relatively few options for preventing attacks that target routers, printers, and phones—but that's not likely to be the case for much longer.