Mitel UC360 Hacked

[ralph]

A group of hackers have found a security flaw in the UC360.
The potential is that someone could listen in on your boardroom conversations without anyone's knowledge.

Here's the details of the hack:  https://www.contextis.com//resources/blog/phwning-boardroom-hacking-android-conference-phone/

Mitel Just released a security advisory:  http://www.mitel.com/mitel-product-security-advisory-17-0003

Ralph

[acejavelin]

A group of hackers have found a security flaw in the UC360.
The potential is that someone could listen in on your boardroom conversations without anyone's knowledge.

Here's the details of the hack:  https://www.contextis.com//resources/blog/phwning-boardroom-hacking-android-conference-phone/

Mitel Just released a security advisory:  http://www.mitel.com/mitel-product-security-advisory-17-0003

Ralph

I saw that and laughed a bit... the conditions for it to occur are pretty unique and it must be an "inside" job for the most part because it requires a compromised DHCP server -AND- physical access to the device. Unless there is a suspicion this could be occuring somewhere, I'm not gonna lose any sleep over this one.

[VinceWhirlwind]

Yes, it needs "inside" access for a couple of minutes minimum.
 
But as he says, these kinds of devices are often in rooms which are unattended and accessed by guests.
 
This risk should be mitigated through physical security measures.
 
I don't know how you stop a device from being tricked into downloading a file by being booted up on a trick switch. Maybe physically mounting the UC360 in such a way as to make the network port inaccessible, and ensuring the patch point is not accessible either.