14 November 2004. Thanks to A.
In the SIP images of Cisco 7960/7940 (and perhaps 7970/7980) phones, there is a "telnet" option which can be enabled. In the highest access mode of this interface, it is possible to activate a "test keys" mode, which would allow an external party to make calls to remote (external) destinations without the local user hearing any indication that the phone had been placed into "remote intercom" mode. The test key mode allows a telnet user to simulate the exact keystrokes of a local user.
Additionally, there is a feature called "auto-answer" which can be activated on a single line, meaning that whatever SIP username is associated with that line will also achieve an auto-answer (on speakerphone, if available) for that line. This also can be used as a remote area surveillance system. (Example: in our office, I have a special extension which calls all phones across the entire office and muxes them back into a single conference bridge, so that I can listen to the entire office at night to see if there is anything amiss (fan noises, UPS signalling, fire alarms, voices.))
Both variations create a bright green LED to light up on the deskset, and also the LCD screen shows the status of the "call" in progress, so there is some external indication that something is happening.
Cisco has made some progress in ensuring that "pirate" versions of code for the phones is not easily developed and uploaded; updated versions need to be cryptographically signed before the phone will upload them (exact methods unknown) which to some degree mitigates threat from versions which have no physical indications, though anything is possible with enough budget and brainpower.
Both of these "features" are available currently on the SIP images and present different threat situations for voice surveillance.
I don't know if they're also available in the SCCP or H.323 versions of the code. Both are exceedingly dangerous, and telnet mode should never be enabled in an insecure (or even secure) environment.
The intercom feature is also an issue, since there is no reverse authentication from the Cisco phones (another major failing inmy opinion of Cisco's SIP practical implementation strategy.)