CLICK TO SHARE
You probably know by now about rampant insecurity in Internet of Things devices. You've likely even heard about vulnerabilities in desk phones specifically. Security research into the devices—and the potential for hackers to take them over, turn them into listening devices, or use them as jumping off points to take over corporate networks—has been going on for years. But even in security it seems that no good deed goes unpunished. At the DefCon security conference in Las Vegas on Thursday, researchers are presenting findings about a flaw in Avaya desk phones that was originally patched in 2009. And then came back from the dead.
Experts at McAfee Advanced Threat Research say they were just doing general studies of Avaya desk phone security when they stumbled on the reincarnated bug. An attacker could exploit it to take over the phone’s operations, extract audio from calls, and even essentially bug the phone to spy on its surroundings.
“It was kind of a holy crap moment,” says Steve Povolny, McAfee's head of advanced threat research. The work is being presented at DefCon by Philippe Laulheret, a senior security researcher at McAfee who led the investigation. "There was a fix for the original bug shortly after it was disclosed publicly in 2009, but it seems that Avaya forked the code later, took the pre-patched version, and didn’t properly account for the fact that there was a public vulnerability there."
Three popular series of Avaya desk phones are affected, and the company released a new patch for the vulnerability on July 18. The McAfee researchers say Avaya was responsive and proactive about working to quickly issue a fix, and that it is even taking steps to harden related systems and future devices to make it more difficult for attackers to find and exploit similar bugs if others ever do crop up. The company did not return a request for comment from WIRED.
Though a fix is now available (again), the McAfee researchers note that it will take time for the patch to distribute out to all the corporate and institutional environments where vulnerable phones are lurking on every desk. It's a classic challenge of IoT security, because even when patches exist for vulnerabilities, it is often difficult in practice for users to apply them. And the McAfee researchers also point out that bugs like these are worryingly easy for potential attackers to find, since IoT devices often don't have strong physical and digital protections in place against an attacker or researcher doing recon on a test device. Povolny says that with the Avaya desk phones, it took only basic hacking skills to gain access to the device's systems and firmware (the foundational code that coordinates a device's hardware and software) and analyze them for flaws.
Watch the video:
Post a comment.
CLICK TO SHARE