Does your desk phone pose a major security risk?

desk phone
(Image credit: Shutterstock.com)

Security researchers have warned that the humble desk phone could be putting businesses at risk of cyberattack.

According to new findings from McAfee, a decade-old bug found in an Avaya desk phone may allow hackers to hijack the device to capture audio, and even potentially bug the phone to listen in on conversations.

The model of phone in question (the Avaya 9600 series IP Deskphone) is reportedly used in 90 percent of Fortune 100 companies, as well as many more businesses of all sizes around the world.

McAfee says that the flaw is due to the presence of a Remote Code Execution (RCE) vulnerability in a piece of open source software that Avaya likely copied and modified 10 years ago, and then subsequently failed to apply appropriate security patches to.

The bug was first reported as affected the phone's Linux software back in 2009, yet its presence in the firmware remained unnoticed until now, demonstrating the potentially huge effect such devices could have on a company's cybersecurity.

“Legacy code and technical debt can be found everywhere in our increasingly connected world; if left unpaid, the resulting ‘interest’ can be detrimental," said Raj Samani, chief scientist and McAfee fellow.

"Technology is only as secure as the weakest link in the chain, and this can many times be a device you might not expect. This highlights the importance of staying on top of network monitoring: if connected devices are talking with each other when they are not supposed to, this should raise red flags.”

Avaya has now published a fix to the vulnerability, with McAfee urging customers to patch their devices immediately.