Security News > 2023 > August > Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping

Multiple security vulnerabilities have been disclosed in AudioCodes desk phones and Zoom's Zero Touch Provisioning that could be potentially exploited by a malicious attacker to conduct remote attacks.

"An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.'s desk phones and Zoom's Zero Touch Provisioning feature can gain full remote control of the devices," SySS security researcher Moritz Abrell said in an analysis published Friday.

The unfettered access could then be weaponized to eavesdrop on rooms or phone calls, pivot through the devices and attack corporate networks, and even build a botnet of infected devices.

The problems are rooted in Zoom's ZTP, which allows IT administrators to configure VoIP devices in a centralized manner such that it makes it easy for organizations to monitor, troubleshoot and update the devices as and when required.

The study further uncovered improper authentication issues in the cryptographic routines of AudioCodes VoIP desk phones that allow for the decryption of sensitive information, such as passwords and configuration files transmitted via a redirection server used by the phone to fetch the configuration.

The twin weaknesses, i.e., the unverified ownership bug and flaws in the certified hardware, could then be fashioned into an exploit chain to deliver malicious firmware by abusing Zoom's ZTP and triggering arbitrary devices into installing it.

News URL

https://thehackernews.com/2023/08/zoom-ztp-audiocodes-phones-flaws.html