Old bug could still bite
Beware desk phones that enable hackers to listen in on your organisation – because there’s an old bug in many phones that could open doors to cyber criminals.
New research from cyber security firm McAfee has identified that there’s still an old bug in Avaya handsets.
Avaya’s the popular choice for many organisations of all sizes worldwide so the existence of the old bug is a major worry for many businesses who may not have renewed their desktop technology since 2009.
While the core software itself was repaired a decade ago, the operating system in the desk phone firmware wasn’t. It means companies that use Avaya handsets could have their devices taken over in a Remote Code Execution (RCE) attack. This would enable a hacker to listen in on conversations and even record calls.
Avaya has published information about how to fix the problem and advises businesses to remedy the problem as soon as possible.
But some companies may need support from an independent IT consultant to help them to evaluate the risks and to implement the fix. As the bug is a decade old, it might well be the right time to consider new kit – because there’s a wide range of new options to choose from.
The security flaw was identified in the Avaya 9600 series IP desk phone by McAfee’s researchers who demonstrated how big a risk the bug still poses. They were able to take over the normal operation of an Avaya phone, secretly remove audio recordings and potentially bug the phone.
Gary Jowett, from Computer & Network Consultants in Brighton, said: “Now’s the time to check your Avaya phone system as a matter of urgency. This old vulnerability has just become headline news again, so attempts by cyber criminals may well increase.
“It’s also worthwhile taking the opportunity to do a thorough audit of all IT services to ensure there aren’t any other weak points in your cyber defences. Sadly, hackers’ ability to plant malware that lies dormant on your network, means your systems could already be infected. The perpetrators are just waiting for the right moment to use malicious code against you. Or, it could involve your company’s systems in an unwitting attack on a third party which could lead to legal penalties and a damaged reputation.”