Published on August 18th, 2011 | by Alexis Argent1
Security vulnerability affecting Yealink phones
It has come to our attention that all releases of Yealink firmware contain a security vulnerability which puts a user’s account at risk. A breach can potentially lead to the execution of a code against the phone to make calls without your permission.
The vulnerability affects all Yealink devices, including those NOT purchased directly from VoIPon.
Some revisions of Yealink firmware will also allow an attacker to gain complete control of your IP Phone and SIP extension details.
Yealink phones are factory set with default usernames of “admin” and “user”, along with default passwords. Attackers can use several utilities to easily exploit this and instruct the phone to make calls without your permission, commonly to high cost international destinations.
Yealink are currently working on an update to their firmware to resolve this problem, in the meantime the information below should be followed for all Yealink handsets deployed within your organisation.
It is important that you follow the below steps to reduce your risk of fraudulent activity.
If you have purchased your phone from VoIPon configured to an extension either via our online store or from our sales team, then we are taking steps to ensure that your firmware is upgraded automatically and that the “user” password is changed. You should also ensure that the “admin” password is changed to something more secure.
If you have not purchased your Yealink phone from VoIPon or have made technical changes to how the device provisions then please consult with your supplier or IT department for any additional information that may be required.
Ensure that your phone is running the latest release of firmware from the list below. If it is not then please update your device immediately by clicking on the relevant link below. This will download the latest firmware, which you can then upload to your phone.
If you are unsure of the firmware upgrade procedure, a guide can be found on the Yealink FAQ.
Ensure that both the “admin” and “user” logins for the phones web interface are protected with a strong password. We recommend using this free online password generator to create a suitable password, which can then be updated using the phone’s web based administration.