Featured Articles from IP Phones

Heartbleed Bug Reminds Us to Test IP Phones, Other Technology

May 02, 2014

Especially now with the threat of the Heartbleed bug, it is very important to test IP phones to ensure their security.

Heartbleed, found in the open-source OpenSSL library, can expose servers and other tech systems to hackers. It has already left millions of Web servers and devices susceptible to attacks.

It was reported that the top 1,000 sites were no longer vulnerable to the bug as of last month, Sucuri said. But thousands of smaller sites are vulnerable. FixedOpenSSL can patch the flaw, and GitHub and McAfee developed sites that test other sites for Heartbleed.

On April 10, Cisco (News - Alert), for instance, found 11 products and two services susceptible to attack because of Heartbleed. The items at that point included the Cisco Unified 8961 IP Phone (News - Alert), the Unified 9951 IP Phone, and the Unified 9971 IP Phone.

On the other hand, Yealink reported on April 18, “We have carefully inspected our products in all versions, and here we announce that Yealink (News - Alert) products are not affected by the Heartbleed OpenSSL vulnerability.”

A 19-year-old Canadian was arrested on April 15 for allegedly hacking into the computer systems of the Canada Revenue Agency using the Heartbleed bug. And Brian Monkman, perimeter security programs manager at ICSA Labs, told CruxialCIO that an IP phone, printer or copier, which “uses an encrypted interface to access an admin function” could be compromised by Heartbleed. While some IP phones, such as those from Yealink, have tight security and were not compromised, users of other IP phone systems may not have been so lucky, and must evaluate their phone security.

There are some ways to protect software and systems from the Heartbleed bug. For instance, watch for internal threats. “A significant number of breaches over the years have come from internal actors,” Monkman said. In addition, perform network inventory. Find out what is running on the Web and mail servers, and what may be running OpenSSL code. Michael Bailey, a professor of Electrical Engineering and Computer Science at the University of Michigan, says, “Once you identify things running OpenSSL, the first thing you should do is patch them.”

Also, ensure there is continuity in software systems. “I’m hearing folks being very aggressive in their patching stance, and that’s the appropriate response here,” Bailey added.

Remember, too, to double check coding. “It’s always good to have someone check the results of your coding and make sure it operates properly,” Monkman said. Another suggestion is to change passwords for network and Web accounts now, and change them after systems are patched.

Monkman also suggests to check certificates to make sure they have not been revoked, and to remember to use online scanners. Chris Rodriguez, an analyst at Frost & Sullivan (News - Alert), told CruxialCIO, added to this option, explaining, “For example, Nessus and Qualys scanners have the ability to test for this vulnerability, and Veracode offers an online service to find and scan an organization's cloud-hosted, forgotten, and temporary sites.”

Edited by Alisen Downey
Article comments powered by Disqus

Popular Articles

Yealink Becomes Platinum Sponsor for ITEXPO 2016
It's a new year likely to be filled with new and exciting innovations for the information and communications technology space. Fortunately, ITEXPO Florida is running from January 25 to 28 at the Greater Fort Lauderdale/Broward County Convention Center in Fort Lauderdale, Florida, providing a complete look at the latest technology and trends in areas including the cloud, VoIP, WebRTC, unified communications (UC) and more.

FreeSWITCH Finds Compatibility in Yealink
At the heart of every deal, every transaction, every successful business - is communication. Having the proper tools in place to support collaboration between colleagues and customers is key. From an IP phone to telephony platform, an exceptional communications solution is integral to a company’s success today and into the future.

Yealink Promises Portfolio Fit for Office 365
Enterprise communication and collaboration is mission critical to success. And, in the ever-innovating space of communications it is vital to ensure the proper tools are in the place to meet a firm's needs. To that end, in recent months we’ve seen Microsoft go through a transformation, and it is clear industry leading IP phones and unified communications solution provider Yealink (News - Alert) will be around to enjoy the ride.

Yealink Awards



Yealink Network Technology Co., Ltd.
Website: www.yealink.com
Wiki: support.yealink.com
Tel: 86-592-570-2000
| support@yealink.com

Yealink Real-time Technical Support Service:
Email: support.usa@yealink.com
Tel: 877-387-2624 (toll free)
Time: Monday to Friday, 8:30 a.m. to
6:30 p.m., EDT.