At the RSA conference 2015 in San Francisco, Dr Ang Cui from Columbia University PhD and Red Ballon Security cofounder announced that Avaya’s Ethernet office phones can be compromised with just a simple text editor, containing some lines of python.
Dr Ang Cui explained that this vulnerability was found last year in Avaya ONE-X blowers (including 96xx models), and it was found by accident when they were trying to exploit another vulnerability.
To exploit the vulnerability the device needs simply to be connected over the network, the attacker in this way is able to compromise the embedded OS.
“You can walk up to this phone with a text editor and get root on all phones vulnerable to this attack forever, until its thrown in the bin,” Dr Ang Cui explains.
“Every single Avaya phone out there that has this vulnerability works with a user root and a password of nothing. Once someone has done this, just once, there is little to do to ensure [the phone] has been scrubbed … you can watch every packet, but at the end of the day you have zero visibility into the device.”
There is a firmware update that could fixes problems like this, but as pointed by the expert there are other security issues to consider.
“My definition of firmware updating is trading known vulnerabilities for unknown ones,” he said.
Another factor to consider is that the firmware update it’s difficult to pass it thought every single Avaya phone in the world, so it is quite common to find vulnerable Avaya phone.
The exploitation itself it isn’t very difficult, the hack cost about $2,000 over a couple of months, but the expert hasn’t publicly provided further details on the hack for obvious reasons.
Dr Ang Cui anyway shares some information related its tests:
The conclusions were:
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Avaya, hacking)