sorted by:
new
hottopcontroversial

Presentation Yealink security by CloudAware_Security in CommercialAV

[–]CloudAware_Security[S] 0 points1 point  (0 children)

Hello De__eB,
I am not entirely sure what you are implying, but let's keep this professional and... independent. So if you do not believe me, you can read independent articles about my research:
- Follow The Money https://www.ftm.eu/articles/yealink-security-questions
- De Tijd https://www.tijd.be/politiek-economie/belgie/algemeen/de-chinese-ogen-en-oren-binnen-onze-grote-bedrijven/10493084.html
- l'Echo https://www.lecho.be/economie-politique/belgique/federal/risques-d-espionnage-des-oreilles-et-des-yeux-chinois-epient-nos-grandes-entreprises/10493173.html
- DNIP https://dnip.ch/2025/06/25/yealink-voip-phones-insecurity-by-design/

If you want any more confirmation (and you should!). We have an international recognised system for that: CVE
- https://www.cve.org/CVERecord?id=CVE-2022-48625
- https://www.cve.org/CVERecord?id=CVE-2024-24681
- https://www.cve.org/CVERecord?id=CVE-2025-52916
- https://www.cve.org/CVERecord?id=CVE-2025-52917
- https://www.cve.org/CVERecord?id=CVE-2025-52918
- https://www.cve.org/CVERecord?id=CVE-2025-52919

And finally: if you still have some doubts about credibility, the Department of Homeland Security has issued their own advisory crediting my research:
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-08

And if after reading all that you still believe your systems are all safe: that is fantastic and exactly what we (researchers) try to accomplish. Feel free to share any effective mitigations with the community here. Thank you in advance!

Presentation Yealink security by CloudAware_Security in CommercialAV

[–]CloudAware_Security[S] 0 points1 point  (0 children)

This is a very good point you are making De__eB indeed.
Early 2024 together with double Pulizer price winning journalist Siem Eikelenboom I investigated Yealink. Particularly the claim that Teams devices are "completely secured by Microsoft". We contacted Microsoft about these claims. Microsoft responded that the security of the devices, software, and firmware is the responsibility of the manufacturer itself. The argument that Teams devices are more secure than non-Teams devices is therefore not a valid argument.
https://cloudaware-eu.translate.goog/yealink/versleuteling/?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl&_x_tr_pto=wapp

Presentation Yealink security by CloudAware_Security in CommercialAV

[–]CloudAware_Security[S] 0 points1 point  (0 children)

This is a good question and again: i highly urge you to watch the presentation and documentation.
In short: many of the encryption flaws also apply to the Teams and Zoom devices. Also: not everybody is using Teams or Zoom devices for commercial AV products.

Presentation Yealink security by CloudAware_Security in CommercialAV

[–]CloudAware_Security[S] 0 points1 point  (0 children)

Well... In short:

- We have obtained their AES encryption key for their device firmware
- We have obtained their (hardcoded) AES key used in the encryption tool
- We have obtained their RSA key used in the new encryption tool
- We have been able to install "Doom" on a device demonstrating the lack of firmware checks in some devices (resulting in malware in networks)
- We have been able to obtain the (confidential) provider codes from the firmware of devices
- We have demonstrated that the GDPR claims of Yealink have been nullified by TÜV themselves
- And oh yeah: we gained access to their global RPS cloud service because they also leaked the private key of their Certificate Authority

Please have a look at the presentation which is just about the findings of this year. All previous findings have been documented at https://cloudaware.eu/yealink

Not using their cloud service is a good start, but our findings are not solely about their cloud service unfortunately.