cancel
Showing results for 
Search instead for 
Did you mean: 

Security vulnerability affecting Yealink phones

jojopillo
Grafter
Posts: 9,786
Registered: 16-06-2010

Security vulnerability affecting Yealink phones

Hi folks,
I've just received this email....
[quote=email]Security vulnerability affecting Yealink phones
It has come to our attention that all releases of Yealink firmware contain a security vulnerability which puts a user's account at risk. A breach can potentially lead to the execution of a code against the phone to make calls without your permission.
The vulnerability affects all Yealink devices, including those NOT purchased directly from Gradwell.
Some revisions of Yealink firmware will also allow an attacker to gain complete control of your IP phone and SIP extension details.
Vulnerability information
Yealink phones are factory set with default usernames of "admin" and "user", along with default passwords. Attackers can use several utilities to easily exploit this and instruct the phone to make calls without your permission, commonly to high cost international destinations.
Yealink are currently working on an update to their firmware to resolve this problem, in the meantime the information below should be followed for all Yealink handsets deployed within your organisation.
Recommendations
It is important that you follow the below steps to reduce your risk of fraudulent activity.
If you have purchased your phone from Gradwell configured to an extension either via our online store or from our sales team, then we are taking steps to ensure that your firmware is upgraded automatically and that the "user" password is changed. You should also ensure that the "admin" password is changed to something more secure.
If you have not purchased your Yealink phone from Gradwell or have made technical changes to how the device provisions then please consult with your supplier or IT department for any additional information that may be required.
Ensure that your phone is running the latest release of firmware from the list below. If it is not then please update your device immediately by clicking on the relevant link below. This will download the latest firmware, which you can then upload to your phone.
• T20P 9.60.23.14: Firmware
• T22P 7.60.23.14: Firmware
• T26P 6.60.23.14: Firmware
• T28P 2.60.23.14: Firmware
If you are unsure of the firmware upgrade procedure, a guide can be found on the Yealink FAQ website.
Ensure that both the "admin" and "user" logins for the phones web interface are protected with a strong password. We recommend using this free online password generator to create a suitable password, which can then be updated using the phone’s web based administration.

Jojo Smiley