I'm trying to consider how to properly vet devices that have exhibited unexplained activity for future deployment. Let's just consider my current scenario as an example, but I am interested in this from a broader standpoint.
We have two IP phones that were purchased at the same time that are behaving strangely and differently from our other otherwise identical Phones. They are not connected with our network at all at this point and all my research was done within a tightly controlled environment monitoring and blocking all network activity. They make unexpected connections in the background over SIP ports to North Korea, Nigeria and China. The manufacturer hasn't confirmed that this is expected activity, but the vendor has verified that the device was acquired directly from the manufacturer.
I've lost confidence in this hardware. Is there any way to regain confidence in it to the point where re-deploying them is a reasonable action?
I'm sure the safest action is just to dump them. Maybe my time isn't worth the effort, but ignoring the time/money issue, is there a way to be reasonably sure that the devices do not pose a threat?
I know that what is reasonable is subjective, but what steps might be taken in that direction? What scenarios need to be considered and how would they be mitigated?