A brand of office phone so widespread that it is used by 90% of Fortune 100 companies has been found to have a vulnerability that could enable a malicious actor to listen in on calls and even take control of the phones while they are being used.
The vulnerability, which was discovered by McAfee Labs, has been found on a model of deskphone made by Avaya, the second largest provider of VoIP solutions such as office phones in the world.
The model in question, the Avaya 9800 series, was found to use a piece of open source containing a remote code execution (RCE) vulnerability first identified in 2009. However, its presence in the phone remained unnoticed until now.
Upon finding the issue, McAfee immediately notified Avaya, which produced and released a patched firmware image to resolve the issue. This has now been out for over 30 days, however it is up to IT administrators to deploy it, meaning that while it is likely to have been resolved in most businesses, it is not clear how many of the phones remain unpatched.
Vulnerability enabled office phones to be bugged
It is not known if the office phones vulnerability was ever used by hackers to gain access to phones, but the potential for access prior to Avaya’s fix was significant.
In a blog post outlining the vulnerability for security researchers, McAfee Labs found that the phone could be accessed via a laptop either directly or through a company network. Once an attacker gained access, they would be able to ‘bug’ the phone, take over its operation or extract audio from the speaker phones.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataThe vulnerability, while now resolved, is a reminder to be wary of the security of connected devices using legacy code.
“Legacy code and technical debt can be found everywhere in our increasingly connected world; if left unpaid, the resulting ‘interest’ can be detrimental,” said Raj Samani, chief scientist and McAfee fellow.
“Technology is only as secure as the weakest link in the chain, and this can many times be a device you might not expect. This highlights the importance of staying on top of network monitoring: if connected devices are talking with each other when they are not supposed to, this should raise red flags.”
Read more: Weak IoT security puts office printers at risk of Russian cyberattacks