Yealink, a leading global provider of unified communications and collaboration solutions, has recently faced some scrutiny due to alleged security concerns about its products and services.
These claims suggest that Yealink products are vulnerable to attacks and may be used by third parties to achieve unauthorized surveillance. As a responsible and thorough investigator of the products we deliver, it is our duty to assess the veracity of these accusations and provide a balanced perspective on the matter.
In this article, we examine the evidence at hand and explore the rigorous security measures implemented by Yealink to ensure the safety and privacy of its users. We hope this helps you understand the issue and make informed decisions about Yealink's products with renewed confidence.
Chain Security, a relatively new network security auditing business founded in 2017 and based in Switzerland, published a report in July 2021 about Yealink's T54W IP business phone and its interaction with the Yealink Device Management Platform (YDMP).
According to the report, Chain Security engineers took two T54W IP phones, registered them with a commercial VoIP provider, and connected one with Yealink's cloud-based YDMP service. This setup was observed for about two weeks.
The report cited alleged security vulnerabilities, including the unauthorized collection of data by the YDMP, certain insecure default phone settings and the potential ability to surveil the network to which a phone is connected. The report also suggested that Yealink is somehow in league with certain government organizations to collect unauthorized data and information about the company's customers.
The report gained notoriety in September of 2021 when it was forwarded by a United States senator to the Secretary of the U.S. Department of Commerce, bringing it to her attention and the industry's attention.
In January 2022, Yealink published a statement addressing each of the report’s findings. A summary of these findings can be found below.
First and foremost, Yealink is a publicly traded company with non-government origin, ownership, and background. It has been traded on the Shenzhen Stock Exchange (SHE) as Yealink Network Technology Co Ltd since March 2017. There is no association of the company with any government bodies or organizations.
Second, it must be made clear that the report has made some unfounded and inaccurate assumptions. These include the following:
Yealink's YDMP product is a centralized device management software solution typically installed on-premises within an organization's network infrastructure. It operates under strict security measures implemented on the enterprise network by the business itself.
Any security vulnerabilities in such a scenario are not inherent to the product's design but depend upon how security is implemented on the enterprise network.
It is likely that the report erroneously referred to YDMP when it was actually referring to the Yealink Management Cloud Service (YMCS), the Yealink Redirection and Provisioning Server (YRPS), or both. These online services are used to deploy and troubleshoot Yealink devices remotely. Both platforms deliver standard services among vendors of similar UC equipment within the telecom industry.
To ensure customer security and privacy, these services have acquired GDPR certification from TÜV Rheinland, certifying their status as safe and secure services. In addition, these online services are hosted by well-known cloud service providers in the United States and Europe; not in China as stated by the report.
In the software development process, firmware updates are essential to maintaining and improving product performance and security. It is common for developers and even product users to encounter bugs or vulnerabilities during the iterative process of firmware development, patching, and updating.
The bugs mentioned by the report include vulnerabilities pertaining to potential DDoS attacks, certificate security, and software security. However, testing was performed using an old Yealink firmware version that complied with the security requirements upon its initial release but has since been replaced. Yealink’s due process has already discovered the cited bugs and has resolved them.
It’s also important to note that the vulnerabilities found were not only inherent to Yealink’s firmware but also to the Linux kernel on which the firmware is based.
Once again, this is not an alarming occurrence but a natural part of the development of all firmware, software and operating systems. These Linux-based vulnerabilities were resolved along with key phone-related ones during the secondary development process.
Another claim of the report is that many default settings of the phone render the device vulnerable to attack and at risk of being used as an intermediary agent to collect data.
There are certain default settings that administrators must be sure to modify before deployment, such as the default admin password, which is considered best practice throughout the industry. Other default settings, such as some open well-known TCP ports, were specific to the older firmware being tested. These, too, have been remedied in the updated firmware.
The report seems to be referencing these details, which, again, are not considered unusual within the software development framework, in an unduly alarming manner.
As a global leader in this industry, Yealink is dedicated to providing customers with the highest quality UC and collaboration solutions. The company has repeatedly emphasized that its top priorities are the security and privacy of its users, which is why it is so committed to upholding stringent security standards.
Yealink has implemented a robust, multi-layered security framework encompassing product design, development, testing, and deployment to safeguard the integrity and confidentiality of user data.
It uses industry-standard encryption protocols and methodologies, and all its products undergo rigorous security assessments. As has already been stated, all its products are subject to continuous improvement based on industry best practices and evolving threat landscapes.
As a trusted partner and platinum-level distributor of Yealink's cutting-edge communications and collaboration solutions, TeleDynamics stands firmly behind the company's commitment to security and privacy.
We have consistently witnessed Yealink's dedication to implementing robust, multi-layered security measures across its product lines, ensuring the highest level of protection for our mutual customers. TeleDynamics remains confident in Yealink's ability to deliver secure, reliable, and innovative solutions that meet and exceed the expectations of organizations worldwide.
You may also like:
Market demand for Yealink videoconferencing
Yealink MP series phones for Microsoft Teams
Yealink BH vs. WH headsets: which to choose?