0

I'm trying to consider how to properly vet devices that have exhibited unexplained activity for future deployment. Let's just consider my current scenario as an example, but I am interested in this from a broader standpoint.

We have two IP phones that were purchased at the same time that are behaving strangely and differently from our other otherwise identical Phones. They are not connected with our network at all at this point and all my research was done within a tightly controlled environment monitoring and blocking all network activity. They make unexpected connections in the background over SIP ports to North Korea, Nigeria and China. The manufacturer hasn't confirmed that this is expected activity, but the vendor has verified that the device was acquired directly from the manufacturer.

I've lost confidence in this hardware. Is there any way to regain confidence in it to the point where re-deploying them is a reasonable action?

I'm sure the safest action is just to dump them. Maybe my time isn't worth the effort, but ignoring the time/money issue, is there a way to be reasonably sure that the devices do not pose a threat?

I know that what is reasonable is subjective, but what steps might be taken in that direction? What scenarios need to be considered and how would they be mitigated?

flickerfly
  • 133
  • 7
  • 1
    You might have to re-focus this question. As it stands, you're asking about vendor- and device-specific configuration or management, which is not in scope here (not a high chance we can help). On the other hand, if you're asking about IP phones in general, or devices over which you have limited configuration control, there might be a question in there. – schroeder Nov 06 '14 at 21:36

1 Answers1

1

Since these are embedded devices, it's hard to say exactly as far as details. Perhaps you can have the manufacturer provide you with a method of securely wiping the phones and replacing what is on there with their latest firmware? They could also potentially provide a way to integrity check the firmware images, BIOS, etc. After performing all this, doing the same network traffic monitoring you have done will confirm whether they are still making suspicious outbound connections. If you went through those steps and the network traffic appeared clean over a reasonable period of time, then you can feel safe reintroducing them back into production.

theterribletrivium
  • 2,679
  • 17
  • 18
  • I imagine if I was the coder of the attack, I'd build in a 30-90 day sleep after a firmware replacement. Is this something I should realistically be concerned about? – flickerfly Nov 07 '14 at 15:40
  • It's possible, perhaps in this scenario you could test resetting the firmware using what is on the device. Once you've done that start monitoring it and see if the network traffic reoccurs and when. Given we're not constrained by time or resources, I would suggest that as another means to be assured it is safe. If the device can't contact the outside world, it can't update that firmware so it will presumably act the same every time. – theterribletrivium Nov 07 '14 at 19:06