Making SIP phones more secure with two-factor authentication
Early this year, reports revealed that Yealink had suffered from a critical security gap in the provisioning technology for their IP phones. This gap left countless businesses wondering how they could once again secure their voice conversations and prevent criminals and outside parties from gaining access to their sensitive information.
NFON AG, leading pan-European cloud PBX provider, was informed by the IT security company VTRUST about the security gaps in the auto-provisioning process of the VoIP phone manufacturer Yealink. Chief Technology Officer of NFON AG, Jan-Peter Koopman, talked to me about the new two-factor authentication solution that is now available with Yealink’s SIP phones.
The NFON technology available for Yealink delivers a two-factor authentication method for authentication and security within the IP environment. Jan-Peter Koopman, who has been with NFON since 2009, told me that NFON had been monitoring the security of the Yealink platform for a few months before the new two-factor authentication (2FA) solution was delivered.
“In August of last year, there was a security breach on VoIP-phones from many manufacturers including Yealink. We’ve been alert to the potential of a security issue since then. In September, we were approached with the much more serious security problem regarding safe provisioning. VTRUST approached us and we immediately took this seriously because it’s in our DNA to make sure that the cloud services that we deliver are as secure as possible.”
NFON operates on the principle of safety first, carrying out regular audits of their platform and working continuously on further opportunities for improvement. Based on analyses, NFON was able to further develop the authentication of Yealink devices to meet the highest standards for the future and guarantee a better level of security for customers.
According to Koopman, the basic challenge with most IP devices is figuring out how to make them work in a fashion that’s easy for end-users, while simultaneously making sure that information doesn’t get into the wrong hands. The first thing that businesses need to do is ensure that everything is secure and encrypted. The next stage is making sure that the authentication is there.
“We need to make sure that the request that reaches us is coming from wherever it’s supposed to be coming from. The presumption before now has been that this security is provided by the phone manufacturer. However, this isn’t always the case.”
“Attackers can authenticate themselves to provisioning services and claim that they’re using a Yealink phone. You wouldn’t necessarily be able to tell the difference”
If a caller can authenticate themselves to the provisioning service, then they can potentially access a lot of sensitive information, spoof an IP system and compromise an entire platform. Yealink has already seen this issue, but something that can happen to a great company like Yealink is likely to happen to others as well.
NFON has invested a substantial amount of development resources into the creation of the right two-factor authentication tools to close the security gap encountered by Yealink. Rather than just relying on the authentication messages sent by a device to the provisioning service, this means that NFON is introducing a second layer of security.
“If you get the Yealink phone out of the box and connect it to our platform, everything will work as normal. However, if we can’t ensure that the phone is coming from a known and correct source, we’ll ask for additional authentication, a device-dependent pin code created by us.”
Once NFON has the pin code, they know that the phone is authentic. They can then deliver the provisioning to the user with the right security tokens to ensure that all sequential request is authenticated. This goes beyond the plug-and-play experience of provisioning to put an extra layer of security into the mix.
Koopman told me that the only thing that’s different with this new solution is that users might need to provide a pin number once. “We’ve implemented various automation so that we can ensure that this extra measure is only accessed if necessary. If you introduce a new customer, we won’t ask for the authentication dozens or hundreds of times. The user only needs to fully authenticate one phone in their company.”
According to Koopman, the solution from NFON benefits from being completely secure and simple too. It’s easy for the customers to use, and it’s simple for partners to implement.
“We wanted a solution that was very partner-friendly”
From discovering that there might be an issue with Yealink phones in November of 2019 to where the NFON company is today, it only took a few weeks to do everything. Before Christmas, they already had the basics in place. Within the next few weeks, they had information going out to partners.
I asked Jan-Peter whether he thinks that endpoint vendors should be working harder to keep their devices secure. He said that it’s always easy to make that claim after something has happened. Theoretically companies could be doing more. However, Yealink and other providers are rethinking how they do things.
No company can find a vendor that is never going to be exposed to a security issue. What matters more in Koopman’s perspective is how these companies respond to potential issues. The speed with which NFON was able to close the security gap is an excellent example of how companies can make agility visible to the end user, and learn quickly from security issues: And that’s to protect everyone.