The humble office desk phone has become the latest device to fall foul of security research into vulnerabilities that open up the risk of espionage and cyberattack. Organizations using Avaya’s popular range of VoIP phones are being warned to check that firmware on the devices has been updated, after a security researcher on McAfee’s Advanced Threat Research team reported a Remote Code Execution (RCE) vulnerability in open source software. The issue exposes organisations to the potential that conversations could be recorded and files accessed—all remotely.
Avaya is second only to Cisco in the enterprise VoIP market, and is used by almost all of the Fortune 100. The company’s response and advisory notice can be found here.
“The bug affecting the open source software was reported in 2009,” researcher Philippe Laulheret reported, “yet its presence in the phone’s firmware remained unnoticed until now.” In a video demonstration on McAfee’s website, Laulheret shows how a threat actor can remotely hijack a phone, pulling audio and potentially “bugging” the device. As long as the attacker is on the same network as the phone, the vulnerability is exposed. Avaya’s firmware update…