Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.“It was kind of a holy crap moment,” says Steve Povolny, McAfee's head of advanced threat research. The work is being presented at DefCon by Philippe Laulheret, a senior security researcher at McAfee who led the investigation. "There was a fix for the original bug shortly after it was disclosed publicly in 2009, but it seems that Avaya forked the code later, took the pre-patched version, and didn’t properly account for the fact that there was a public vulnerability there."Three popular series of Avaya desk phones are affected, and the company released a new patch for the vulnerability on July 18. The McAfee researchers say Avaya was responsive and proactive about working to quickly issue a fix, and that it is even taking steps to harden related systems and future devices to make it more difficult for attackers to find and exploit similar bugs if others ever do crop up. The company did not return a request for comment from WIRED.Though a fix is now available (again), the McAfee researchers note that it will take time for the patch to distribute out to all the corporate and institutional environments where vulnerable phones are lurking on every desk. It's a classic challenge of IoT security, because even when patches exist for vulnerabilities, it is often difficult in practice for users to apply them. And the McAfee researchers also point out that bugs like these are worryingly easy for potential attackers to find, since IoT devices often don't have strong physical and digital protections in place against an attacker or researcher doing recon on a test device. Povolny says that with the Avaya desk phones, it took only basic hacking skills to gain access to the device's systems and firmware (the foundational code that coordinates a device's hardware and software) and analyze them for flaws.
"There's some positive momentum in that space, which is good to see," Povolny says. "Because a big part of the problem is how easy it is to get access to firmware and memory. Developers can add protections or at least raise the bar so that IoT device bugs aren't so easy to exploit."In the case of the Avaya flaws, the McAfee researchers imagine that an attacker could exploit them for surveillance, to make fake outgoing calls, or even to spread ransomware among vulnerable phones on a network, potentially halting activities for a business like a telecommunications or marketing firm. The vulnerabilities can't be exploited remotely on their own—an attacker would need to be on the same network as the devices. But they could be chained with a remote exploit and used by an attacker to move around a target network and gain deeper control.
Most important, the bug is a cautionary tale for developers looking to reuse old code in new projects. "Yeah, it was kind of surprising to me that this one made it so long," Povolny says. "Over 10 years is a pretty impressive amount of time."
- The weird, dark history of 8chan and its founder
- 8 ways overseas drug manufacturers dupe the FDA
- Listen, here’s why the value of China’s yuan really matters
- A Boeing code leak exposes security flaws deep in a 787
- The terrible anxiety of location sharing apps
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers , running gear (including shoes and socks ), and best headphones .
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter