Security is certainly a topic making headlines, and has been for some time. Businesses make a multitude of communications daily ranging from emails, chat, voice, video etc. All of these exchanges contain value to business operations; maybe you’re about to close a new client or you’re collaborating with a colleague to resolve an issue. What if I told you the IP phones you just deployed to the office were part of the problem? What if I told you that your IP phones are vulnerable to unauthenticated remote dial in? At that point, “Houston, we have a problem.”

Cisco (News - Alert) released a vulnerability report this week in regard to its Small Business SPA300 and SPA500 Series IP phones that describes the issue as, “A vulnerability in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones could allow an unauthenticated, remote attacker to listen to the audio stream of an IP phone.”

Although an attacker would have to gain entry to a business’ internal network and firewall, which should reduce the threat, a red flag must be raised, and the vulnerability addressed nonetheless.

Because the default configuration does not contain proper authentication settings, an ‘evil-doer’ could leverage this vulnerability to pilfer sensitive company information. The hacker could make phone calls or eavesdrop on a remote audio stream. Frightening, yes, and although Cisco recognizes the issue, an update has yet to be provided.

Cisco reports that its Small Business SPA 300 and 500 Series IP phones version 7.5.5 were vulnerable with the possibility of later versions in the series as well. The provider suggests that administrators contact their vendor about updates and new phone releases, enable XML Execution authentication in configuration settings, give only trusted users network access, monitor any systems affected, make use of a firewall and make sure that only trusted systems can access the systems affected.

While this vulnerability seems like a hole that can fairly easily be plugged, it is an issue regardless. Business communications are what allow for the manifestation of strategy, sales and customer service; are you willing to risk the security of those communications? I didn’t think so.