How to hack Avaya phones with a simple text editor

Pierluigi Paganini April 22, 2015

At RSA conference 2015 a researcher demonstrated that Avaya’s Ethernet office phones can be compromised with just a simple text editor.

At the RSA conference 2015 in San Francisco, Dr Ang Cui from Columbia University PhD and Red Ballon Security cofounder announced that Avaya’s Ethernet office phones can be compromised with just a simple text editor, containing some lines of python.

Dr Ang Cui explained that this vulnerability was found last year in Avaya ONE-X blowers (including 96xx models), and it was found by accident when they were trying to exploit another vulnerability.

To exploit the vulnerability the device needs simply to be connected over the network, the attacker in this way is able to compromise the embedded OS.

“You can walk up to this phone with a text editor and get root on all phones vulnerable to this attack forever, until its thrown in the bin,” Dr Ang Cui explains.

“Every single Avaya phone out there that has this vulnerability works with a user root and a password of nothing. Once someone has done this, just once, there is little to do to ensure [the phone] has been scrubbed … you can watch every packet, but at the end of the day you have zero visibility into the device.”

ang_cui avaya hack

There is a firmware update that could fixes problems like this, but as pointed by the expert there are other security issues to consider.

“My definition of firmware updating is trading known vulnerabilities for unknown ones,” he said.

Another factor to consider is that the firmware update it’s difficult to pass it thought every single Avaya phone in the world, so it is quite common to find vulnerable Avaya phone.

The exploitation itself it isn’t very difficult,  the hack cost about $2,000 over a couple of months, but the expert hasn’t publicly provided further details on the hack for obvious reasons.

Dr Ang Cui anyway shares some information related its tests:

  • 20 phone fuzz farm
  • 1 month automated fuzzing
  • 10gb of crash data
  • 10K+ documented crashes
  • Ran basic clustering algorithm to determine unique root-causes
  • Chose top 4 unique crash cases
  • All Reliably reproducible
  • Manual analysis for exploitability

The conclusions were:

  • Embedded exploitation is not “next level stuff”
  • Embedded exploitation is cheap
  • Embedded exploitation is effective
  • Embedded exploitation is persistent
  • Embedded exploitation has no defense

Users can listen to the presentation here or download the slides here [PDF].

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog

Edited by Pierluigi Paganini

(Security Affairs –  Avaya, hacking)

you might also like

leave a comment