How do you organize a secure deskphone? Does your desk phone pose a major security risk? It seems to be the case since the security experts of McAfee recently found a dangerous bug that could cause a major data leak in desktop telephones. And that’s not all, there are also other business VoIP and deskphone security risks which we should prepare for. We briefly review them in this blog.
Let’s start with the McAfee findings. Researcher Philippe Laulheret didn’t find a new advanced virus that targets desktop phones. On the contrary, he detected an already long-existing (for over a decade) bug in some popular Avaya deskphones. For parts of the firmware, open source code was used. A vulnerability which was already published, well documented and resolved long ago in the open-source community was still existing in the firmware version of these desktop phones. Laulheret was immediately on high alert when he accessed the deskphone system software and found an outdated help file. In his own words: “Showing a detailed help screen describing its expected arguments is normal behavior, but a 2004-2007 copyright is a big red flag.”
Indeed, an open source code version was used which still contained known bugs that affect the H.323 software stack (not SIP). They allow hackers to access the device remotely, capture audio and listen in to conversations. So, the impact of abusing this bug could be very serious. Specifically, since it is not a bug in a rarely used system. Avaya is the second-largest provider in the VoIP domain with an installed base at a wide spectrum of customers worldwide. From small business and midmarket to large corporations, including 90% of the Fortune 100 companies. Also, it is just one example of one device, as is explained in the McAfee blog about this vulnerability:
“important to realize this is not an isolated case and many devices across multiple industries still run legacy code more than a decade old. From a system administration perspective, it is important to consider all these networked devices as tiny black-box computers running unmanaged code which should be isolated and monitored accordingly.”
In plain English: we just focused on this bug in this particular device, but there may be plenty more in the firmware of other devices. Firmware which doesn’t receive regular updates and therefore may contain known vulnerabilities.
Of course, also the core infrastructure and communications manager software are vulnerable. For example, recently Cisco published a vulnerability in the User Data Services API of its Unified Communications Manager (CUCM). The vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the management GUI. Another vulnerability was reported which makes it possible to gain unauthorized access to the call manager system. While a weakness in the Session Initiation Protocol (SIP) protocol implementation of the CUCM could be used for a denial of service (DoS) attack. Such an attack triggers a new registration process on all connected phones, temporarily disrupting the phone service. These are just a few examples of recent Security Vulnerabilities for the Unified Communications Manager as reported by Cisco. Something which needs close and constant attention of your IT management team.
IT departments often consider people as the biggest security risks, due to their undisciplined behavior when it comes to usernames, passwords and PINs. Even if the IT department complies with all IT security standards, their policies are undermined by employees using the same password for all accounts, never change passwords, use simple passwords, share passwords or disable passwords whenever they can.
The same behavior causes deskphone security risks. First, these devices are often ‘open for all’ since they are typically less considered as a risk compared to computers. But given the fact that modern VoIP deskphones contain sensitive contact data, provide access to voicemail systems and can be abused for outgoing calls, it is worthwhile to change this approach. Typical measures vary from blocking phones outside office hours to access protection using a username and PIN.
Such a secure deskphone login process is however is inconvenient and stimulates undisciplined behavior like using a short PIN and not logging out. However, using the ALM solution to synchronize between the deskphone and the end user’s computer, the login is fully automated, as we explained in another blog.
So, besides the deskphone security risks as detected by McAfee and other security experts, your desktop phone is also vulnerable to attacks via the infrastructure and communications manager software. And even if these security risks are eliminated, there are still the end-users who may be the weakest link. This weak spot however can be secured using the ALM software of RSconnect.
Given the more demanding privacy regulations as dictated by GDPR and other data protection and privacy regulations, protecting your VoIP service and organizing a secure deskphone is becoming more important. We are ready to help you.