It is not often that you see VoIP in the news headlines, but this week there was lots of talk about a potential security issue with a particular handset. So, let’s have a detailed look at the reported VoIP bug & the implications it may have.
What Is The VoIP Bug?
There is a very comprehensive article from MacAfee here that explains what happened in great detail.
In this article we will focus on what happened and what to do if you get asked about it.
You will have most likely heard of Avaya, they are one of the largest VoIP providers in the world.
Well, McAfee were doing some ongoing security work on software and hardware and as part of this process they checked the Avaya 9600 series IP Desk phone.
What they found was a Remote Code Execution (RCE) vulnerability. They also found that it had been placed there ten years ago…
What Is A Remote Code Execution?
The simple explanation of a remote code execution (RCE) is that it is a command placed in a piece of code within the software that allows someone to effectively take control of it.
VoIP uses open source code, which is often used collaboratively and can be used and adapted by anyone.
This RCE is particularly clever and could potentially allow any hackers to access files on the VoIP system, including call logs and recordings of calls.
The author of the McAfee article we mentioned earlier, Philippe Laulheret, has been quoted as saying that it would even give any hackers “Leverage the bug to take over the normal operation of the phone, exfiltrate audio from its speaker phone, and potentially ‘bug’ the phone,”
So, not only could a hacker take call information and call recordings, they could also have installed viruses, trojan and malware software.
Why Did It Take 10 Years Before Anyone Noticed?
The most likely theory as to why nothing was done is that Avaya copied and continued using the software code without ever rolling out or applying any software security update patches.
Though this technology should have been updated inline with best practices, at least now the bug has been discovered and there is something that can be done to rectify it.
What Should An Avaya VoIP User Do?
As a VoIP reseller you are quite likely to be asked what to do by anyone that is using or considering using Avaya VoIP solutions.
Avaya have released three security updates here. So, the systems administrator or IT Department, if they haven’t already, should be able to deploy these fixes across the VoIP system.
Now that the bug and its subsequent fix is out in the open, it means that a sensible thing to do would be to test the system once the fix has been applied, before rolling it out across a company.
Most IT Departments have test environments to allow them to do any security or user testing before allowing new or amended software to be used in a live environment.
VoIP Phones Are Not Just Phones
Despite the obviously worrying aspect of a) a bug being discovered and then even more worrying aspect that b) it had not been detected in ten years, this is a timely reminder that VoIP systems are so much more than just phone handsets, just like laptops, tablets and mobile phones, they are computer systems.
As with all computer systems, they are powered and controlled by reams and reams of code. Code that if left unchecked for any period of time, is vulnerable to being hacked and data being breached.
Also, as this case illustrates, open source code created and amended by third parties and placed in millions of IT systems throughout the whole world needs to be updated and checked regularly.
It may be a good idea to ask anyone using any VoIP solutions to ensure that their VoIP systems are included with any other piece of technology when their IT Department checks for process and security updates.
Possibly because we often only see the phone handsets and let’s face it, phone handsets have been for many years, as just simple phones, we don’t think too much about what is going on in the background and quite possibly take it for granted.
As a VoIP reseller it is vital that you are kept up to date with any developments in VoIP solutions technology – whether it is good, as in advances of VoIP technology, or not so good such as the topic of this week’s blog.
We would highly recommend that you subscribe to the McAffee website we mentioned near the top of this blog and other valuable resources such as softwaretestingnews.co.uk to ensure that you can pre-empt any questions you may have and so that you can provide knowledgeable answers and solutions.
We hope that we have helped to explain this particular VoIP bug and the implications it may have for anyone using or looking to use VoIP solutions.
Get In Touch
Here at VipVoip we pride ourselves on keeping up to date with everything in the world of VoIP solutions. So, if you would like any more information then please contact us.
You can call us at 03300881182, email sales@vipvoip.co.uk or via our online contact form.