New Warning As Even Office Phones Expose Corporates To Risk Of Cyberattack: Report

The humble office desk phone has become the latest device to fall foul of security research into vulnerabilities that open up the risk of espionage and cyberattack. Organizations using Avaya's popular range of VoIP phones are being warned to check that firmware on the devices has been updated, after a security researcher on McAfee's Advanced Threat Research team reported a Remote Code Execution (RCE) vulnerability in open source software. The issue exposes organisations to the potential that conversations could be recorded and files accessed—all remotely.

Avaya is second only to Cisco in the enterprise VoIP market, and is used by almost all of the Fortune 100. The company's response and advisory notice can be found here.

"The bug affecting the open source software was reported in 2009," researcher Philippe Laulheret reported, "yet its presence in the phone’s firmware remained unnoticed until now." In a video demonstration on McAfee's website, Laulheret shows how a threat actor can remotely hijack a phone, pulling audio and potentially "bugging" the device. As long as the attacker is on the same network as the phone, the vulnerability is exposed. Avaya's firmware update can be found here, and companies with 9600 Series, J100 Series or B189 phones are advised to patch the issue now.

Laulheret includes plenty of detail as to how the vulnerability was researched and the various levels of risk it exposes. His written report is worth a read. The bigger picture issue, though, relates to the myriad IoT devices now deployed in organizations, which are fast becoming the most significant cyber risk given their lack of focus, awareness and upgrade/update strategy.

An Avaya spokesperson told me that the company "has a clear and well-defined policy that requires our products to use the most recent software release to make sure security issues are addressed in a timely manner. Avaya thanked Philippe Laulheret for his responsible disclosure and cooperation with Avaya during the handling of this matter. Customers should always make sure that physical access to communications devices are limited to approved personnel to prevent physical tampering with these devices by unauthorized entities."

The exposure of this vulnerability comes the same day as NCC Group security researchers exposed a potential Remote Code Execution (RCE) cybersecurity issue with the leading brands of office printers and just days after Microsoft disclosed that it had caught Russia military hackers attacking companies using IoT devices as their entry point—those devices included a VoIP phone and an office printer.

Notice the pattern emerging?

Microsoft has warned that IoT risks need to be addressed as a matter own urgency—the software giant issued 1400 warnings to enterprises potentially attacked by the Russian hackers it had identified, and the company has called for raised awareness of "the risks across the industry and better enterprise integration of IoT devices—today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined."

A week ago, I reported on the multiple zero-day vulnerabilities exposed in VxWorks, the real-time operating system inside 2 billion IoT devices around the world. Again, the VxWorks vulnerabilities impacted seemingly low-risk devices: printers, firewalls, medical equipment, VoIP phones. "IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight," Microsoft has warned. "In most cases however, the customers’ IT operation center don’t know they exist on the network."

There is no safety in numbers with IoT devices. The anticipated growth in the number of IoT devices over the coming years is a major security concern. IHS Markit forecasts 125 billion such devices by 2030. The truth is that the vast numbers of new connected endpoints are hitting corporates woefully unprepared to deal with them. Smart devices are all well and good, but without the security maintenance processes around those devices they become risks. Scale endpoint security is set to become one of the primary information security themes in the coming months.

In the meantime, if you find yourselves reading this while glancing at the office phone on your desk or the printer on the corner of the floor, then at least awareness is increasing.

—

Updated with statement from Avaya.

">

The humble office desk phone has become the latest device to fall foul of security research into vulnerabilities that open up the risk of espionage and cyberattack. Organizations using Avaya's popular range of VoIP phones are being warned to check that firmware on the devices has been updated, after a security researcher on McAfee's Advanced Threat Research team reported a Remote Code Execution (RCE) vulnerability in open source software. The issue exposes organisations to the potential that conversations could be recorded and files accessed—all remotely.

Avaya is second only to Cisco in the enterprise VoIP market, and is used by almost all of the Fortune 100. The company's response and advisory notice can be found here.

"The bug affecting the open source software was reported in 2009," researcher Philippe Laulheret reported, "yet its presence in the phone’s firmware remained unnoticed until now." In a video demonstration on McAfee's website, Laulheret shows how a threat actor can remotely hijack a phone, pulling audio and potentially "bugging" the device. As long as the attacker is on the same network as the phone, the vulnerability is exposed. Avaya's firmware update can be found here, and companies with 9600 Series, J100 Series or B189 phones are advised to patch the issue now.

Laulheret includes plenty of detail as to how the vulnerability was researched and the various levels of risk it exposes. His written report is worth a read. The bigger picture issue, though, relates to the myriad IoT devices now deployed in organizations, which are fast becoming the most significant cyber risk given their lack of focus, awareness and upgrade/update strategy.

An Avaya spokesperson told me that the company "has a clear and well-defined policy that requires our products to use the most recent software release to make sure security issues are addressed in a timely manner. Avaya thanked Philippe Laulheret for his responsible disclosure and cooperation with Avaya during the handling of this matter. Customers should always make sure that physical access to communications devices are limited to approved personnel to prevent physical tampering with these devices by unauthorized entities."

The exposure of this vulnerability comes the same day as NCC Group security researchers exposed a potential Remote Code Execution (RCE) cybersecurity issue with the leading brands of office printers and just days after Microsoft disclosed that it had caught Russia military hackers attacking companies using IoT devices as their entry point—those devices included a VoIP phone and an office printer.

Notice the pattern emerging?

Microsoft has warned that IoT risks need to be addressed as a matter own urgency—the software giant issued 1400 warnings to enterprises potentially attacked by the Russian hackers it had identified, and the company has called for raised awareness of "the risks across the industry and better enterprise integration of IoT devices—today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined."

A week ago, I reported on the multiple zero-day vulnerabilities exposed in VxWorks, the real-time operating system inside 2 billion IoT devices around the world. Again, the VxWorks vulnerabilities impacted seemingly low-risk devices: printers, firewalls, medical equipment, VoIP phones. "IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight," Microsoft has warned. "In most cases however, the customers’ IT operation center don’t know they exist on the network."

There is no safety in numbers with IoT devices. The anticipated growth in the number of IoT devices over the coming years is a major security concern. IHS Markit forecasts 125 billion such devices by 2030. The truth is that the vast numbers of new connected endpoints are hitting corporates woefully unprepared to deal with them. Smart devices are all well and good, but without the security maintenance processes around those devices they become risks. Scale endpoint security is set to become one of the primary information security themes in the coming months.

In the meantime, if you find yourselves reading this while glancing at the office phone on your desk or the printer on the corner of the floor, then at least awareness is increasing.

—

Updated with statement from Avaya.

Comments are closed.