Especially now with the threat of the Heartbleed bug, it is very important to test IP phones to ensure their security.
Heartbleed, found in the open-source OpenSSL library, can expose servers and other tech systems to hackers. It has already left millions of Web servers and devices susceptible to attacks.
It was reported that the top 1,000 sites were no longer vulnerable to the bug as of last month, Sucuri said. But thousands of smaller sites are vulnerable. FixedOpenSSL can patch the flaw, and GitHub and McAfee developed sites that test other sites for Heartbleed.
On April 10, Cisco (News - Alert), for instance, found 11 products and two services susceptible to attack because of Heartbleed. The items at that point included the Cisco Unified 8961 IP Phone (News - Alert), the Unified 9951 IP Phone, and the Unified 9971 IP Phone.
On the other hand, Yealink reported on April 18, “We have carefully inspected our products in all versions, and here we announce that Yealink (News - Alert) products are not affected by the Heartbleed OpenSSL vulnerability.”
A 19-year-old Canadian was arrested on April 15 for allegedly hacking into the computer systems of the Canada Revenue Agency using the Heartbleed bug. And Brian Monkman, perimeter security programs manager at ICSA Labs, told CruxialCIO that an IP phone, printer or copier, which “uses an encrypted interface to access an admin function” could be compromised by Heartbleed. While some IP phones, such as those from Yealink, have tight security and were not compromised, users of other IP phone systems may not have been so lucky, and must evaluate their phone security.
There are some ways to protect software and systems from the Heartbleed bug. For instance, watch for internal threats. “A significant number of breaches over the years have come from internal actors,” Monkman said. In addition, perform network inventory. Find out what is running on the Web and mail servers, and what may be running OpenSSL code. Michael Bailey, a professor of Electrical Engineering and Computer Science at the University of Michigan, says, “Once you identify things running OpenSSL, the first thing you should do is patch them.”
Also, ensure there is continuity in software systems. “I’m hearing folks being very aggressive in their patching stance, and that’s the appropriate response here,” Bailey added.
Remember, too, to double check coding. “It’s always good to have someone check the results of your coding and make sure it operates properly,” Monkman said. Another suggestion is to change passwords for network and Web accounts now, and change them after systems are patched.
Monkman also suggests to check certificates to make sure they have not been revoked, and to remember to use online scanners. Chris Rodriguez, an analyst at Frost & Sullivan (News - Alert), told CruxialCIO, added to this option, explaining, “For example, Nessus and Qualys scanners have the ability to test for this vulnerability, and Veracode offers an online service to find and scan an organization's cloud-hosted, forgotten, and temporary sites.”
Edited by Alisen Downey