Flaws in legacy Internet phone systems can remain hidden for years and hackers are all over it, increasingly using them as back doors to enter company IT networks.
According to the McAfee Advanced Threat Research teamOpens a new window , it discovered such a vulnerability in the Avaya 9600 series IP desk phoneOpens a new window that could be leveraged by attackers to access the phone and eavesdrop on conversations – effectively turning the $80 device into a bug.
McAfee reports that it found the back door while working on a wider project designed to detect vulnerabilities in voice over Internet protocol (VoIP) communications.
The weakness: a piece of software
The security flaw was traced directly to a piece of open source software for the Avaya phone and McAfee believes it was copied and modified at least 10 years ago. Avaya, the security firm says, simply failed to recognize and patch it.
Internet of Things devices like VoIP phones “tend to blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose,†says Philippe Laulheret, a senior security researcher on the McAfee team working on the problem. “In this case, with a minimal hardware investment and free software, we were able to uncover a critical bug that remained out of sight for more than a decade.â€
Avaya was prompted to fix the problem, and the company says it has since been repaired.
The incident demonstrates how security issues can creep into your business through unforeseen areas such as Internet phone systems — not the first place you’re likely to check for danger.
A must-do: security checks
When your IT professionals install VoIP phones, even the latest models, they must be reminded to run security checks on them. Vulnerabilities in their software can open your entire network to cyberattackers.
Internet phones are actually minicomputers and bring many of the security vulnerabilities that plague desktop computersOpens a new window . Worse, they run code that your IT team may not manage and unlikely to be subjected to the same security updates as your computers. This is one way legacy security issues can remain in place for as long as a decade.
If you have adopted VoIP phone technology, make sure you regularly revisit the phones’ software and security provisions and ensure that they are brought inside the network. Hacking is now cheaper and easier than it has ever been, and the reason VoIP phones have not been attacked more stems from an ignorance by amateur hackers about its vulnerabilities.
Key takeaways:
- Avaya is the second largest VoIP phone system seller, with an installation base covering about 90% of the Fortune 100 companies. Its products target a wide spectrum of customers, from small businesses to large corporations.
- Don’t ignore your VoIP devices in a security review. Make sure you implement standard security-access restrictions on your phones as well as your computers.
- VoIP software vulnerabilities will arise if you’re using older phones with dated software. But even newer devices are being sold on the market with software dating back over a decade. In the Avaya case, the phone’s software was copyrighted in 2007.