Digital Enhanced Cordless Telecommunications (DECT) is a globally common standard for wireless telephones. Various vulnerabilities have been found in DECT which may allow a third party to eavesdrop on unencrypted calls. Security methods supported by DECT include encrypting transmission data and using authentication for phones and base stations. The DECT Standard Cipher (DSC) standard is used for encryption and the DECT Standard Authentication Algorithm (DSAA) is used for authentication. Even when practices such as encryption and authentication are used, it was found that a third party may be able to pose as a wireless base station to deactivate encryption or divert traffic.
These findings are credited towards various researchers affiliated with the Technical University of Darmstadt. More information on these vulnerabilities may be found here.
Avaya has two telephony systems which use the DECT wireless standard and are affected by these vulnerabilities: IP DECT and ISDN DECT. Avaya products which support the IP DECT solution include Communication Manager (CM) and IP Office. Avaya products which support the ISDN DECT solution include Integral Enterprise 55 (I55) and Integral 5.
| Product: | Affected Version(s): | Risk Level: | Actions: |
|---|---|---|---|
| IP DECT Solution | All versions of:
|
Medium | Please ensure that all available security measures are enabled, such as authentication and encryption. Authentication is used by default both when wireless phones subscribe to IP DECT base station and before each call is made. When subscribing new cordless telephones via the IP DECT handsets interface, always use a reasonable length authentication code (at least 8 digits) which cannot be easily guessed. This issue will be addressed in accordance with Avaya's Product Security Vulnerability Response Policy |
| ISDN DECT Solution | All versions of:
|
Medium | ISDN DECT uses strong authentication by default, but encryption is not used for communications. This issue will be addressed in accordance with Avaya's Product Security Vulnerability Response Policy |
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - February 3, 2009 - Initial Statement issued.
Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or [email protected].
© 2009 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.