Cisco, Avaya, and Polycom hard phones are probably the most popular phones in enterprise networks. Regardless of vendor, though, any type of hard phone comes with security issues. For example, an attacker can compromise the phone's configuration file or simply upload a malicious one. Fortunately, username and password information is usually not stored in the hard phone's configuration file, so the impact an attacker can have if the file is compromised is somewhat mitigated. Instead, the risks of a hard phone's vulnerabilities are general enumeration attacks and Denial of Service (DoS) attacks. The following sections will discuss these VoIP hard phone vulnerabilities:
Compromising the phone's configuration file
Uploading a malicious configuration ...