Customer (K12 with nearly 2000 devices on the network) has a local FPBX 14 system with about 130 phones, mostly older Yealink T22P and T28P phones. They’ve detected at least 6 hacked phones recently so I’m working to secure their installation and prevent further hacks. I suspect there is a compromised device on the network that is sniffing traffic in order to pull extensions and secrets since provisioning is via TFTP, but it’s just a guess.
So I have two questions:
Are there other ways these phones could be hacked? (details are most welcome)
These phones do not support HTTPS provisioning so what is the best way to secure them? Even if I use HTTP provisioning with username/password they could still be sniffed if there is a compromised device, right? And even if they did support HTTPS, the username and password would still need to be passed to the phones via DHCP option 66 which again, is cleartext and sniffable. Right? So again, what is the best way (best practices) to secure them?