YOU PROBABLY KNOW by now about rampant insecurity in Internet of Things devices. You’ve likely even heard about vulnerabilities in desk phones specifically. Security research into the devices—and the potential for hackers to take them over, turn them into listening devices, or use them as jumping off points to take over corporate networks—has been going on for years. But even in security it seems that no good deed goes unpunished. At the DefCon security conference in Las Vegas on Thursday, researchers are presenting findings about a flaw in Avaya desk phones that was originally patched in 2009. And then came back from the dead.
Experts at McAfee Advanced Threat Research say they were just doing general studies of Avaya desk phone security when they stumbled on the reincarnated bug. An attacker could exploit it to take over the phone’s operations, extract audio from calls, and even essentially bug the phone to spy on its surroundings.
LILY HAY NEWMAN COVERS INFORMATION SECURITY, DIGITAL PRIVACY, AND HACKING FOR WIRED.
“It was kind of a holy crap moment,” says Steve Povolny, McAfee’s head of advanced threat research. The work is being presented at DefCon by Philippe Laulheret, a senior security researcher at McAfee who led the investigation. “There was a fix for the original bug shortly after it was disclosed publicly in 2009, but it seems that Avaya forked the code later, took the pre-patched version, and didn’t properly account for the fact that there was a public vulnerability there.”
Three popular series of Avaya desk phones are affected, and the company released a new patch for the vulnerability on July 18. The McAfee researchers say Avaya was responsive and proactive about working to quickly issue a fix, and that it is even taking steps to harden related systems and future devices to make it more difficult for attackers to find and exploit similar bugs if others ever do crop up. The company did not return a request for comment from WIRED.(Source)
this is a very silly situation https://t.co/l39wBhLQVq
— Lily Hay Newman (@lilyhnewman) August 8, 2019