Infosec bod's brag: Text editor pops Avaya phones FOREVER
You could patch, but it probably won't help, PhD bloke says
RSA 2015 Dr Ang Cui says Avaya's Ethernet office phones can be permanently compromised using nothing more than a text editor (and a few lines of Python.)
The Columbia University PhD and Red Ballon Security cofounder revealed to the RSA security conference in San Francisco a few more details about the vulnerabilities he found last year in the Avaya ONE-X blowers including the 96xx models. It appears to involve connecting to the device over the network to compromise its embedded OS.
“You can walk up to this phone with a text editor and get root on all phones vulnerable to this attack forever, until its thrown in the bin,” Cui says.
“Every single Avaya phone out there that has this vulnerability works with a user root and a password of nothing. Once someone has done this, just once, there is little to do to ensure [the phone] has been scrubbed … you can watch every packet, but at the end of the day you have zero visibility into the device.”
Users can apply a firmware update, but Cui says that should not put minds at ease. “My definition of firmware updating is trading known vulnerabilities for unknown ones,” he says, adding that replacing every phone on the planet is not a viable option.
He says exploitation of the bug is not “next-level stuff,” pointing out the hack cost about $2,000 over a couple of months.
Cui says the industry needs the ability to retrofit arbitrary devices with operating-system agnostic host-based defences without requiring hardware modification or source-code disclosure.
During his six years of university work, he built the Symbiote Structure for host-based defense, automated attack surface reduction, and strong randomization for all devices.
That Symbiote platform is being used in an unnamed government, and later this year in enterprises. “Chances are by next year you'll be using something protected by Symbiote,” Cui grinned.