Security vulnerabilities have recently been revealed in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP), presenting potential opportunities for malicious attackers to execute remote attacks. The vulnerabilities could allow an external attacker to gain full remote control over the devices, according to Moritz Abrell, a security researcher at SySS, who shared his analysis last Friday.
The implications of such unfettered access are significant. Attackers could potentially eavesdrop on rooms or phone calls, infiltrate corporate networks through the compromised devices, or even construct a botnet of infected devices. This research was presented at the Black Hat USA security conference earlier this week. The root of these vulnerabilities lies in Zoom’s ZTP, a feature that enables IT administrators to centrally configure VoIP devices. This feature, while convenient for monitoring, troubleshooting, and updating devices, is achieved via a web server deployed within the local network, which provides configurations and firmware updates to the devices. The vulnerability arises from the lack of client-side authentication mechanisms during the retrieval of configuration files from the ZTP service.
This could allow an attacker to trigger the download of malicious firmware from a rogue server. Further investigation revealed improper authentication issues in the cryptographic routines of AudioCodes VoIP desk phones, which support Zoom ZTP. These issues could allow the decryption of sensitive information, such as passwords and configuration files, transmitted via a redirection server used by the phone to fetch the configuration.
These two vulnerabilities, the unverified ownership bug and flaws in the certified hardware, could be combined into an exploit chain to deliver malicious firmware by abusing Zoom’s ZTP and triggering arbitrary devices that are not already provisioned or enrolled in an existing ZTP profile into installing it. Abrell warns that these vulnerabilities, when combined, could be used to remotely take over arbitrary devices, posing a significant security risk due to the attack’s scalability.
This disclosure comes almost a year after the German cybersecurity company identified a security issue in Microsoft Teams Direct Routing functionality that could make installations susceptible to toll fraud attacks. In response to the disclosure, a Zoom spokesperson stated on July 21, “We have implemented a restriction for new customers that prevents the use of customized URLs for firmware within the Zoom Phone provisioning template.” They also plan to implement additional security enhancements later this year.