Posted: 11 Oct 2019 05:52 AM PDT
Flaws in legacy Internet phone systems can remain hidden for years and hackers are all over it, increasingly using them as back doors to enter company IT networks.
According to the McAfee Advanced Threat Research team, it discovered such a vulnerability in the Avaya 9600 series IP desk phone that could be leveraged by attackers to access the phone and eavesdrop on conversations – effectively turning the $80 device into a bug.
McAfee reports that it found the back door while working on a wider project designed to detect vulnerabilities in voice over Internet protocol (VoIP) communications.
The weakness: a piece of softwareThe security flaw was traced directly to a piece of open source software for the Avaya phone and McAfee believes it was copied and modified at least 10 years ago. Avaya, the security firm says, simply failed to recognize and patch it.
Internet of Things devices like VoIP phones "tend to blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose," says Philippe Laulheret, a senior security researcher on the McAfee team working on the problem. "In this case, with a minimal hardware investment and free software, we were able to uncover a critical bug that remained out of sight for more than a decade."
Avaya was prompted to fix the problem, and the company says it has since been repaired.
The incident demonstrates how security issues can creep into your business through unforeseen areas such as Internet phone systems -- not the first place you're likely to check for danger.
A must-do: security checksWhen your IT professionals install VoIP phones, even the latest models, they must be reminded to run security checks on them. Vulnerabilities in their software can open your entire network to cyberattackers.
Internet phones are actually minicomputers and bring many of the security vulnerabilities that plague desktop computers. Worse, they run code that your IT team may not manage and unlikely to be subjected to the same security updates as your computers. This is one way legacy security issues can remain in place for as long as a decade.
If you have adopted VoIP phone technology, make sure you regularly revisit the phones' software and security provisions and ensure that they are brought inside the network. Hacking is now cheaper and easier than it has ever been, and the reason VoIP phones have not been attacked more stems from an ignorance by amateur hackers about its vulnerabilities.
|You are subscribed to email updates from "ip telephony system,business phone systems" - Google News. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|