You probably know by now about rampant insecurity in Internet of Things devices. You’ve likely even heard about vulnerabilities in desk phones specifically. Security research into the devices—and the potential for hackers to take them over, turn them into listening devices, or use them as jumping off points to take over corporate networks—has been going on for years. But even in security it seems that no good deed goes unpunished. At the DefCon security conference in Las Vegas on Thursday, researchers are presenting findings about a flaw in Avaya desk phones that was originally patched in 2009. And then came back from the dead.
Experts at McAfee Advanced Threat Research say they were just doing general studies of Avaya desk phone security when they stumbled on the reincarnated bug. An attacker could exploit it to take over the phone’s operations, extract audio from calls, and even essentially bug the phone to spy on its surroundings.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
“It was kind of a holy crap moment,” says Steve Povolny, McAfee’s head of advanced threat research. The work is being presented at DefCon by Philippe Laulheret, a senior security researcher at McAfee who led the investigation. “There was a fix for the original bug shortly after it was disclosed publicly in 2009, but it seems that Avaya forked the code later, took the pre-patched version, and didn’t properly account for the fact that there was a public vulnerability there.”
Three popular series of Avaya desk phones are affected, and the company released a new patch for the vulnerability on July 18. The McAfee researchers say Avaya was responsive and proactive about working to quickly issue a fix, and that it is even taking steps to harden related systems and future devices to make it more difficult for attackers to find and exploit similar bugs if others ever do crop up. The company did not return a request for comment from WIRED.
Though a fix is now available (again), the McAfee researchers note that it will take time for the patch to distribute out to all the corporate and institutional environments where vulnerable phones are lurking on every desk. It’s a classic challenge of IoT security, because even when patches exist for vulnerabilities, it is often difficult in practice for users to apply them. And the McAfee researchers also point out that bugs like these are worryingly easy for potential attackers to find, since IoT devices often don’t have strong physical and digital protections in place against an attacker or researcher doing recon on a test device. Povolny says that with the Avaya desk phones, it took only basic hacking skills to gain access to the device’s systems and firmware (the foundational code that coordinates a device’s hardware and software) and analyze them for flaws.
“There’s some positive momentum in that space, which is good to see,” Povolny says. “Because a big part of the problem is how easy it is to get access to firmware and memory. Developers can add protections or at least raise the bar so that IoT device bugs aren’t so easy to exploit.”
In the case of the Avaya flaws, the McAfee researchers imagine that an attacker could exploit them for surveillance, to make fake outgoing calls, or even to spread ransomware among vulnerable phones on a network, potentially halting activities for a business like a telecommunications or marketing firm. The vulnerabilities can’t be exploited remotely on their own—an attacker would need to be on the same network as the devices. But they could be chained with a remote exploit and used by an attacker to move around a target network and gain deeper control.
Most important, the bug is a cautionary tale for developers looking to reuse old code in new projects. “Yeah, it was kind of surprising to me that this one made it so long,” Povolny says. “Over 10 years is a pretty impressive amount of time.”