No. 2: Cisco VoIP: The bad and the ugly
As fast as Cisco's marketing team is pushing its unified communications strategy to the market Cisco's security team is issuing security advisories and responses related to its VoIP products - we counted seven in the past year (Cisco security advisories here; Cisco security responses here). Perhaps the most significant is the revelation that it is possible to eavesdrop on remote conversations using Cisco VoIP phones. Cisco confirmed late November that: "... an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream."
The revelation followed reports a month earlier that two security experts at hacker conference ToorCon9 in San Diego hacked into their hotel's corporate network using a Cisco VoIP phone.
No. 1: Duke University's Wi-Fi data flooding: Was the culprit Apple's iPhone or Cisco's network equipment?
On July 14, Network World reported that the Wi-Fi connection on Apple's iPhone appeared to be the source of a big headache for network administrators at Duke University. Network administrators there witnessed dozens of access points being knocked out as the devices were flooded with 180,000 requests per second from Apple's mobile device. The story ignited a tidal wave of interest among IT professionals and bloggers on the Internet.
On July 20, Cisco confirmed the problem was caused by a Cisco network issue and later that month, it issued a security advisory detailing what caused the address storms. According to the advisory, Cisco's wireless LAN controllers have "multiple vulnerabilities in the handling of Address Resolution Protocol (ARP) packets." These vulnerabilities "could result in a denial of service (DoS) in certain environments." The vendor offered free software to patch this problem, and noted that "there are workarounds to mitigate the effects of these vulnerabilities."