We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.