A brand of office phone so widespread that it is used by 90% of Fortune 100 companies has been found to have a vulnerability that could enable a malicious actor to listen in on calls and even take control of the phones while they are being used.

The vulnerability, which was discovered by McAfee Labs, has been found on a model of deskphone made by Avaya, the second largest provider of VoIP solutions such as office phones in the world.

The model in question, the Avaya 9800 series, was found to use a piece of open source containing a remote code execution (RCE) vulnerability first identified in 2009. However, its presence in the phone remained unnoticed until now.

Upon finding the issue, McAfee immediately notified Avaya, which produced and released a patched firmware image to resolve the issue. This has now been out for over 30 days, however it is up to IT administrators to deploy it, meaning that while it is likely to have been resolved in most businesses, it is not clear how many of the phones remain unpatched.

Vulnerability enabled office phones to be bugged

It is not known if the office phones vulnerability was ever used by hackers to gain access to phones, but the potential for access prior to Avaya’s fix was significant.

In a blog post outlining the vulnerability for security researchers, McAfee Labs found that the phone could be accessed via a laptop either directly or through a company network. Once an attacker gained access, they would be able to ‘bug’ the phone, take over its operation or extract audio from the speaker phones.

The vulnerability, while now resolved, is a reminder to be wary of the security of connected devices using legacy code.

“Legacy code and technical debt can be found everywhere in our increasingly connected world; if left unpaid, the resulting ‘interest’ can be detrimental,” said Raj Samani, chief scientist and McAfee fellow.

“Technology is only as secure as the weakest link in the chain, and this can many times be a device you might not expect. This highlights the importance of staying on top of network monitoring: if connected devices are talking with each other when they are not supposed to, this should raise red flags.”


Read more: Weak IoT security puts office printers at risk of Russian cyberattacks