NFON AG Develops Two-Factor Authentication for At-Risk Yealink Phones

Late year, IT security firm VTrust reportedly uncovered a vulnerability in the automatic provisioning service of popular VoIP phone maker Yealink.The security firm was able to demonstrate how bad actors could initiate an attack using several Yealink phones and a number of VoIP accounts. VTrust’snoted thatYealink’s entire product line is susceptible to the flaws since the method is shared across all of its models.

Chinese VoIP phone maker Yealink is a favorite choice for providers of cloud telephony services, making it a market leader in the field. VTrust has indicated that the company was slow to respond to its discovery of the security flaw, and end users have been stuck because there is little they can do, according to an article in Germany’s CT Magazine.

“There isn’t much users of automatically configured Yealink phones can do to shield themselves, since the issue affects the server side of the mechanism,” according to CT Magazine. “At least some VoIP providers offer an option to deactivate the automatic provisioning process through their customer portals. Even then it depends on the individual provider whether or not the vulnerable information becomes inaccessible to intruders.VoIP companies, on the other hand, can take a few steps to counter the issue. After all, Yealink only specifies the provisioning technique, but not the server software.”

Some VoIP companies have been addressing the security flaw. NFON AG, pan-European cloud PBX provider, was one of the companies directly informed of the flaw by VTrust. NFON AG CTO Jan-Peter Koopman recently spoke with UC Todayabout the new and easy-to-use two-factor authentication solution that it has made available with Yealink’s SIP phones to protect end users.

“If you get the Yealink phone out of the box and connect it to our platform, everything will work as normal,” Koopman told UC Today. “However, if we can’t ensure that the phone is coming from a known and correct source, we’ll ask for additional authentication, a device-dependent pin code created by us.”

Once NFON has the pin code, they’re assured that the VoIP phone is authentic. From here, they can deliver the provisioning to the user with the right security tokens to ensure that all sequential request is authenticated. It’s a way of putting an extra layer of security into the mix to ensure that bad actors can’t exploit the flaw.