A brand of office phone so widespread that it is used by 90% of Fortune 100 companies has been found to have a vulnerability that could enable a malicious actor to listen in on calls and even take control of the phones while they are being used.

The vulnerability, which was discovered by McAfee Labs, has been found on a model of deskphone made by Avaya, the second largest provider of VoIP solutions such as office phones in the world.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Related Company Profiles

View all

The model in question, the Avaya 9800 series, was found to use a piece of open source containing a remote code execution (RCE) vulnerability first identified in 2009. However, its presence in the phone remained unnoticed until now.

Upon finding the issue, McAfee immediately notified Avaya, which produced and released a patched firmware image to resolve the issue. This has now been out for over 30 days, however it is up to IT administrators to deploy it, meaning that while it is likely to have been resolved in most businesses, it is not clear how many of the phones remain unpatched.

Vulnerability enabled office phones to be bugged

It is not known if the office phones vulnerability was ever used by hackers to gain access to phones, but the potential for access prior to Avaya’s fix was significant.

In a blog post outlining the vulnerability for security researchers, McAfee Labs found that the phone could be accessed via a laptop either directly or through a company network. Once an attacker gained access, they would be able to ‘bug’ the phone, take over its operation or extract audio from the speaker phones.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The vulnerability, while now resolved, is a reminder to be wary of the security of connected devices using legacy code.

“Legacy code and technical debt can be found everywhere in our increasingly connected world; if left unpaid, the resulting ‘interest’ can be detrimental,” said Raj Samani, chief scientist and McAfee fellow.

“Technology is only as secure as the weakest link in the chain, and this can many times be a device you might not expect. This highlights the importance of staying on top of network monitoring: if connected devices are talking with each other when they are not supposed to, this should raise red flags.”

Read more: Weak IoT security puts office printers at risk of Russian cyberattacks