News & Secrets of VoIP Uncovered VoIPon on Twitter RSS Feed VoIPon on Facebook VoIPon on LinkedIn VoIPon on Youtube VoIPon on Google + VoIPon on pinterest


Business VoIP no image

Published on August 18th, 2011 | by Alexis Argent

1

Security vulnerability affecting Yealink phones

It has come to our attention that all releases of Yealink firmware contain a security vulnerability which puts a user’s account at risk. A breach can potentially lead to the execution of a code against the phone to make calls without your permission.

The vulnerability affects all Yealink devices, including those NOT purchased directly from VoIPon.

Some revisions of Yealink firmware will also allow an attacker to gain complete control of your IP Phone and SIP extension details.

Vulnerability information

Yealink phones are factory set with default usernames of “admin” and “user”, along with default passwords. Attackers can use several utilities to easily exploit this and instruct the phone to make calls without your permission, commonly to high cost international destinations.

Yealink are currently working on an update to their firmware to resolve this problem, in the meantime the information below should be followed for all Yealink handsets deployed within your organisation.

Recommendations

It is important that you follow the below steps to reduce your risk of fraudulent activity.

If you have purchased your phone from VoIPon configured to an extension either via our online store or from our sales team, then we are taking steps to ensure that your firmware is upgraded automatically and that the “user” password is changed. You should also ensure that the “admin” password is changed to something more secure.

If you have not purchased your Yealink phone from VoIPon or have made technical changes to how the device provisions then please consult with your supplier or IT department for any additional information that may be required.

Ensure that your phone is running the latest release of firmware from the list below. If it is not then please update your device immediately by clicking on the relevant link below. This will download the latest firmware, which you can then upload to your phone.

Yealink T20P 9.60.23.14: Firmware
Yealink T22P 7.60.23.14: Firmware
Yealink T26P 6.60.23.14: Firmware
Yealink T28P 2.60.23.14: Firmware

If you are unsure of the firmware upgrade procedure, a guide can be found on the Yealink FAQ.

Ensure that both the “admin” and “user” logins for the phones web interface are protected with a strong password. We recommend using this free online password generator to create a suitable password, which can then be updated using the phone’s web based administration.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,


About the Author



One Response to Security vulnerability affecting Yealink phones

  1. Agatha says:

    There has been a solution to solve this problem. The users could download a software patch from the website of Yealink: http://www.yealink.com/index.php/Support/lists/classid/2/typeid/2 .
    Install the software patch and change the var password. It’d done!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑