Research Saturday 9.7.19
Ep 101 | 9.7.19

VOIP phone system harbors decade-old vulnerability.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:21] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats. Juniper is connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution, enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Steve Povolny: [00:01:53] This was kind of a fun one, kind of an interesting one, since Avaya – and specifically, their VoIP phones – are so popular and so widely deployed.

Dave Bittner: [00:02:02] That's Steve Povolny. He's the Head of Advanced Threat Research at McAfee. The research we're discussing today is titled, "Avaya Deskphone: Decade-Old Vulnerability Found in Phone's Firmware.

Steve Povolny: [00:02:13] We got interested in this specific platform, one, because obviously it's so ubiquitous and it's used so globally. And two, because it's primarily deployed in businesses and large enterprises as a desk phone. And, you know, as a research group, Advanced Threat Research, ATR, we kind of approach new projects from two perspectives. The first being we're trying to uncover and, you know, quote unquote, burn as many security flaws and vulnerabilities as we can across software and hardware platforms. So, from that perspective, being able to make a big impact across this industry of deployed devices was really interesting for us and made for engaging research.

Steve Povolny: [00:03:00] On the flip side, we're a small, dedicated team, so obviously we can't tackle everything. So part of what we do with any piece of research once we find something that's relevant is in addition to just getting the flaw or vulnerability fixed, we actually work to build a full end-to-end demo, show what the actual bad guy could do with it, and then really get that awareness out there and make sure that people understand what the impact is. And it's that level of awareness and insight into the problem space that's almost more important than just fixing individual bugs again. So, long story short, I guess we kind of get interested in it ultimately because of how widespread it was and because of the areas that it's used primarily in large enterprises.

Dave Bittner: [00:03:43] Yeah, I can't help picturing in my mind, you know, someone from your research team sitting there at their desk and glancing over at the phone and their eyebrows raising and going, "Hmmmm..."

Steve Povolny: [00:03:51] (Laughs) What could you do with this network-connected device that is recording calls and listening to calls, right?

Dave Bittner: [00:04:01] Right, Exactly. Exactly. Well, I mean, let's dig in here. And for folks who might not be familiar with how these phones work and sort of what's going on with them, can you give us a little overview?

Steve Povolny: [00:04:12] Yeah. So these are, of course, network-connected devices, which is why they're called VoIP phones, or Voice over IP, is that all of the data that's transmitted for your calls is going across the network, similar to many phones, but across an IP-based network share. And ultimately, you know, what that means is if someone is able to get onto the same network where these phones are deployed, which is typically an internal business network, or sometimes even a guest network, if they are connected to it and is able to compromise something in the phones, you know, they might be able to actually pivot to other devices on the network, control all the phones at once.

Steve Povolny: [00:04:54] Or ultimately, what we did with the scenario is leveraging the ultimate vulnerability that was found, eventually basically using it to tap and record network traffic, including calls. We thought that was probably the most interesting scenario from the threat actor's perspective, in terms of being able to not just, you know, surreptitiously steal call data, or record call data, but also potentially to deploy something like malware to all the devices, or ransomware. And, you know, in a large organization that heavily relies on their enterprise phones, you know, there's a fairly good chance that that ransom could be effective while they keep users locked out of their phones. So, we kind of approached it from that perspective of both delivering a payload of ransomware, as well as exfiltrating call data, you know, over the Internet.

Dave Bittner: [00:05:42] Yeah, it strikes me, too, that this is a device, like we said, it sort of sits on someone's desk, and in a way, it's kind of invisible. It's sort of out of sight, out of mind. As long as it's working, it's not something you really think about very much.

Steve Povolny: [00:05:56] People forget that these are just computers, right? And Philippe Laulheret, who was the primary researcher on this one, you know, looked at this thing instantly, and instead of seeing a phone that makes calls, he sees a computer sitting on his desk, that's plugged into the network. And so this is similar to any other type of IoT device now that has become network-based, and of course, phones have been connected to networks for a very long time now. But you're absolutely right – this is typically an oversight both from a security perspective as well as from just a monitoring perspective. So it makes for an enticing target for cyber criminals looking to pivot and find a way into the network. It makes for a really ideal type of a target.

Steve Povolny: [00:06:39] Well, let's walk through together what your team did here. There's some interesting aspects to it, both hardware and software. Where do you want to begin?

Steve Povolny: [00:06:50] So first and foremost, we take the lazy approach whenever possible – or the low-hanging fruit, if you want to be politically correct.

Dave Bittner: [00:06:57] (Laughs)

Steve Povolny: [00:06:58] Now, we're trying to look at a network interfaces. We're trying to see if the software or firmware can be just freely downloaded over the Internet. In this case, we could actually access the firmware just by downloading it on the Internet. But with many cases, in many of our research projects, you have to be a customer or you have to use some social engineering to get access to the firmware, or maybe it's only delivered, you know, sometimes even in physical medium.

Steve Povolny: [00:07:25] So, in this case, we were able to get the firmware easily, but the researcher wanted to be able to essentially access the underlying operating system and be able to do some interactive testing with it. So, instead of just testing the firmware for vulnerabilities or flaws similar to a normal software project, he actually opened up the phone – physically opened it up – and started working with the actual hardware and the boards inside the phone to see what he could learn. And ultimately, had he not taken this approach, we would not have come across the vulnerability that existed in the phone for over ten years.

Steve Povolny: [00:08:04] So, the process here was open up the phone and do what's called connecting to debug ports. And often there's hardware interfaces on the inside of a computer like this that the developers either leave in there intentionally so that they can debug issues in the field, or sometimes, you know, they're doing QA or debugging in the manufacturing process and they forget to close them down, and they can be accessed later. Long story short, what this means is a researcher – whether, you know, a white hat researcher or a black hat researcher – can ultimately access interfaces to the phone and backend system on the phone that they probably shouldn't be able to access.

Steve Povolny: [00:08:44] In this case, Philippe was able to directly connect to the phone's hardware and use it to load a root, or kind of system admin-level shell on the box, just by soldering some wires on there. And we spent a lot of time in the blog when we released this research talking about educating people who are interested in this type of research on just how you do that, how you go about connecting to those hardware debugging interfaces – what's interesting, what are you trying to retrieve from them. And ultimately, it leads to the fact where you can start to poke around now on the operating system in the file system of the computer in the phone.

Steve Povolny: [00:09:25] And what Felipe was able to do then, by having a root shell, was do some basic vulnerability scanning and some privileged poking around, I guess, for lack of a better term, to see what he could find. Ultimately, what he found was a piece of code that had not been updated in over ten years – he could tell that from the copyright on the banner of the code – and that led him to start to search for, you know, more of an existing vulnerability versus trying to find something new since this was such old code and such un-updated code.

Steve Povolny: [00:10:00] And then finally to come full circle, you know – and we're keeping a fairly high level for now – but to come full circle, he was able to find a vulnerability that had been publicly reported in open-source code about ten or eleven years ago, which is the DHCP client responsible for providing an IP address to the phone, and Avaya had actually taken that public open-source code, forked a version of it, and put it in their product. And unfortunately, the version of the code that they implemented their product was the one that did not have the patch in it. So, there were some older specs from the vendor here in terms of baking in the existing security, the patches that were available, and that went unnoticed for a period of ten years until Philippe kind of stumbled across this bug.

Dave Bittner: [00:10:44] So this wasn't a matter of, you know, me having a ten-year-old phone sitting on my desk – this was an old version of some open-source software that was just still being reused in modern code?

Steve Povolny: [00:11:00] Absolutely, yeah. These phones are still sold and widely distributed. I want to say there is an end-of-life plan for them coming up here, but they're still one of the most popular desk phones used across major enterprises, this specific version. And exactly as you said, this is not an old phone. It's a newer phone with an older code base on it, and had Avaya properly forked the patched version of the DHCP client into their phone, this vulnerability would not have been there, and we would have had been looking for, you know, a new vulnerability or what's called a zero-day vulnerability – something that hadn't been reported to the industry before.

Steve Povolny: [00:11:40] So, this is kind of a unique scenario where actually, you know, a vulnerability that's quite well-known from an industry perspective was completely unknown from a product perspective, and because of that, there's actually existing exploit code out there already written to take advantage of this exact vulnerability. So, for the researcher, it was quite easy to, you know, once he found that, build a proof-of-concept and take that to the extent of fully compromising the phone. And I'm sure we'll talk a little bit about what the impact of that exploit is.

Dave Bittner: [00:12:13] Yeah, absolutely. Before we get to that, I think it's worth pointing out that from a hardware side of things, this was not a matter of needing a significant investment, spending a lot of money on the gadgets that you needed to sort of hose yourself up to this phone. It was not expensive.

Steve Povolny: [00:12:32] Right. No, the expensive part is the time it takes to learn the skills, right? The overhead it takes to become good at – you know, if you look at some of the blog content and how the researcher actually connected to the phone, you'll see there some very, very fine little soldering wires involved there. You have to be able to analyze the internal components of the hardware and know which chip is what, and which board is what, and how to connect different pins and pinouts. But from an investment perspective, I think our net investment was probably in the range of five or ten dollars for some copper wire. And you know, we did have some additional hardware that kind of facilitated made the process a lot easier, but not overall necessary to being able to connect to the internals of a computer and pull useful information. And just like, you know, anything else, the more you spend, the easier it gets, generally speaking. But you're absolutely right. This is something that most people can do for pretty low cost.

Dave Bittner: [00:13:36] Now, the phone system itself was running a Linux system, which is interesting – certainly not uncommon, but opens up all sorts of avenues for exploration there as well.

Steve Povolny: [00:13:48] Absolutely. And this is pretty common for embedded devices and IoT in general, especially, you know, phone systems will run Linux or some kind of a version of the Linux kernel here. And, you know, it once Philippe had access to the kernel and had elevated privileges on the operating system, you know, there's two approaches you could take. One is to look for existing vulnerabilities, which again, is kind of that low-hanging fruit. If you find something that's already out there that hasn't been patched or fixed, in a way that's just as good as finding a zero-day vulnerability that nobody knows about, because in practice, it's exploitable in the exact same way, and a patch still needs to be developed. So, that's one approach to take and something we typically do when we drop into some elevated privileges like Linux kernel here. On the flip side, you know, had that not been successful, there are a number of tools that allow you to test and to penetration test and look for vulnerabilities and exploit them on both Windows and Linux and other operating systems at the level we're talking about here.

Dave Bittner: [00:15:02] What is the range of possible exploits that you all explored here? What sort of things were you able to do when you had that root level?

Steve Povolny: [00:15:10] Well, once we had the root shell on what's called the EEPROM, which is one of those hardware interfaces to the operating system, the vulnerability was pretty quickly found. So, again, Philippe just kind of – after looking around a little bit and seeing a copyright of 2004 to 2007, kind of got wind of the fact that we were running some – or that the device was running some pretty old code here. And the vulnerability itself, you know, for researchers in the industry, probably already familiar with it. I know Philippe kind of remembered it, it just kind of triggered his memory based on having seen it a number of years ago.

Steve Povolny: [00:15:51] But either way, you know, at this point, you could run a full end-to-end vulnerability stand, you know, looking for all existing CVEs or vulnerabilities that have been published, see what comes up. We really kind of stopped once we found this vulnerability, and the researcher decided, you know, why go any further? We have a root shell on the device, we've got a vulnerability that's unpatched, and we've got a target that's deployed, you know, very widely in enterprise environments. And we decided then to kind of pivot and start using that to build the demo.

Steve Povolny: [00:16:24] Ultimately, as I mentioned earlier, we thought there was two really impactful scenarios here, and we can go into detail on both of them. The first one was, of course, we've built a proof-of-concept just to demonstrate the vulnerability, and Philippe used (Laughs) he used my face to load on the startup screen or the flat screen of the phone, just to show that you had remote code execution and could replace images on the phone. I don't think any realistic attacker is gonna be so kind as to tip you off that way, but it was a great proof-of-concept.

Steve Povolny: [00:16:56] From a realistic perspective, we decided there's two really tangible scenarios that someone would use if they found this vulnerability unpatched. The first, as I mentioned, would be deploying malware or ransomware. And kind of the sky's the limit in terms of what you could do here. You could use it just simply to gain a backdoor on a number of internal systems to use it as a device to pivot to more critical systems on the internal network, especially if the phone system is on a protected, you know, kind of a non-open, non-guest network where there's other sensitive devices, that this becomes a really interesting kind of permanent or semi-permanent backdoor into your network. That's one way that we see a lot of vulnerabilities and exploits being used, is just as backdoors in the network and kind of maintaining persistence there to attack other targets.

Steve Povolny: [00:17:50] From the actual phone perspective, we thought, well, wouldn't it be cool if you could actually enable the internal microphone through the use of this exploit and either call or record or spoof calls outbound? And that's the demo we built and kind of run in our lab here, is we exploit the vulnerability to turn on the internal microphone. And essentially, it'll not only capture, of course, call data when a call is being made, but it can just capture ambient room noise or background noise. So, if this thing is deployed on the table of your boardroom for a critical boardroom meeting and the vulnerability is exploited, we can be listening and even exporting all of that data, all of that audio data, out of the network back to a server, a computer that we control. And we thought that was a really interesting targeted scenario for surveillance and spying activities, as well as gaining kind of privileged information to a –what should be really a highly confidential conversation.

Steve Povolny: [00:18:53] And those are the two demos that we built. So really, we kind of have a simple demo where Philippe just kind speaks and talks into the phone, and about a second or two later, you kind of see the call recording happening in real time and the data being exfiltrated out over the Internet.

Dave Bittner: [00:19:06] In order to exploit this phone, to get the access that you got, was it necessary for you to have access to the hardware itself, or could this have been done remotely?

Steve Povolny: [00:19:17] That's a great question, Dave. So, we decided to – the answer is no, we did not actually have to have access to the hardware, and that's really important here, because obviously it would mitigate the finding significantly if you need to sneak into a building, open up the phone, and tap it. At that point, you might as well just install a tap, right? So, this is a network-based attack, meaning you don't have to have any physical access with a phone – you just need to be on the same network.

Steve Povolny: [00:19:46] The reason we spent so much time on the hardware side of things is more from an educational perspective. So, we want to be able to teach researchers who are interested in helping secure this space and interested in finding additional vulnerabilities and responsibly disclosing them, to be able to build the skill set and understand the approach that goes into hacking into these kinds of devices. And with that often is the hardware approach. So, had we not been able to download the firmware freely over the Internet and, you know, if Avaya decides to lock down those firmware and download in the future, this would be the tactic or the technique that the bad guys would actually use to figure out whether there are vulnerabilities on the set and ultimately how to exploit them. So, really gaining access to the hardware interface is just the means to the end to understanding what the attack surface is and how to pull it off, it makes it easier to get the firmware, the filesystem, the memory content to do that kind of research and analysis. But ultimately, as far as exploitation, it's completely unnecessary – you just need to have access to the network that these devices are deployed on.

Dave Bittner: [00:20:55] Now, you all did reach out to Avaya, and they were responsive, and they've since published a patch.

Steve Povolny: [00:21:01] Yes. They've been a great partner to work with. And we think that one of the things that's part of a research organization is that McAfee's ATR, Advanced Threat Research, always, always works with the vendor to do what's called responsible disclosure. So, when we find a vulnerability – and sometimes we've been working with vendors well before we find a vulnerability through partnerships. In this case, we reached out to Avaya just as soon as we found the vulnerable code, and we had a number of ongoing discussions with them over the next few months while they worked on getting a patch ready and updated.

Steve Povolny: [00:21:37] And we have to really commend them for the speed they worked at, the way they embraced the research. You know, kind of the collaboration throughout the whole process really demonstrated what we always hope to achieve, which is that strengthening that researcher and manufacturer/vendor relationship. And to me, that's really ultimately one of the most important things that we have the opportunity to change in this industry. Instead of just throwing the vendor under the bus and reporting bugs and, you know, and making the vendor look bad, what we're actually trying to do is change the paradigm so that we're now working as a team, as a single unit, and that the white hat research community comes together with the manufacturers, developers, and vendors. And ultimately, we're doing the research that leads to the development and production of better and safer products. And this was a great example of that.

Steve Povolny: [00:22:30] And I'll just add that, you know, the patch was released in late June of 2019. We did do both static and dynamic testing of it to confirm that the patch was effective and that the mitigations that we kind of recommended to Avaya were properly implemented. And, you know, happy to say that that patch is effective. We think it's really important that especially large enterprises prioritize the roll out of this patch. Sometimes devices like this can be an oversight in a large corporate environment, and as we talked about earlier, phones tend to not be the primary type of computer system that your IT or SOC is actually patching. But you can kind of see from the impact statement, from the demo, and from the conversations we've had, that these should be treated as just as sensitive as any other critical server in your environment, whether those are used as an access point or a pivot point, or whether they're directly attacked. These, again, are computer systems that allow you to gain privileged access into a privileged network, and ultimately to achieve some pretty nefarious purposes. So, we're strongly advising that anyone who uses these phones get those patches updated quickly after getting the patch tested.

Dave Bittner: [00:23:48] And I suppose there's a bigger lesson here as well that, you know, even if you have your devices patched and up-to-date, that there could be things still lurking in there that have yet to be discovered.

Steve Povolny: [00:24:00] Absolutely. It would be remiss to say that fixing one vulnerability would overall make a product secure. And again, this comes full-circle to what we started to call with here, which is, you know, the reason, the nature of why we do vulnerability research at McAfee is to push this industry forward as a whole, to encourage researchers to work with vendors, to do analysis of these types of products, to overall harden the attack surface, because we can guarantee that there are others out there – whether they're individuals, whether they're nation-state, whether they're groups of individuals working together – that are well-funded, have significant resources and time, that are attacking and looking for these exact types of flaws. So it's kind of a race to see not only who can find them first, but overall who can be successful in this battle of securing [INAUDIBLE] vulnerabilities are found. And ultimately, that's our goal in this process.

Dave Bittner: [00:25:00] Our thanks to Steve Povolny from McAfee's Advanced Threat Research Team. The research is titled Avaya Deskphone: Decade-Old Vulnerability Found in Phone's Firmware." We'll have a link in the show notes.

Dave Bittner: [00:25:14] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:25:23] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:25:29] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.