Skip to main content

Desk phones could be a major security risk

(Image credit: Image Credit: Flickr / Matt Reinbold)

One thing you’d probably never think could pose a cybersecurity threat to your company (opens in new tab) is probably the desk phone. However, researchers from cybersecurity firm McAfee have discovered just that – there’s a “decade old” bug in the Avaya deskphone that could place the company at plenty of risk.

The bug is essentially a Remote Code Execution (RCE) vulnerability (opens in new tab), found in a piece of open-source software which Avaya the company took and used a decade ago.

The software was patched in the meantime (it was first reported in 2009, McAfee says), but not the OS in the phones. If leveraged, the attacker could remotely take over the phone, listen in on conversations and probably even record the calls. Roughly a month ago, Avaya published a firmware image that fixe the issue. The company has urged admins to patch up their phones as soon as possible. You can find the firmware image on this link (opens in new tab).

The Avaya deskphone is allegedly used at 90 per cent of Fortune 100 companies.

“Legacy code and technical debt can be found everywhere in our increasingly connected world; if left unpaid, the resulting ‘interest’ can be detrimental,” commented Raj Samani, chief scientist and McAfee.

“Technology is only as secure as the weakest link in the chain (opens in new tab), and this can many times be a device you might not expect. This highlights the importance of staying on top of network monitoring: if connected devices are talking with each other when they are not supposed to, this should raise red flags.”

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.