Poly Voice Impersonation Vulnerability via Extracted Test Key and Certificate

A vulnerability exists in certain Poly Voice devices, allowing an embedded test key and certificate to be extracted through specialized reverse engineering tools. If this certificate is obtained, it could be accepted by a SIP service provider that fails to properly validate device certificates, potentially leading to unauthorized impersonation of the Poly Voice device.

Impact

Exploitation of this vulnerability could result in unauthorized impersonation of a Poly Voice device by a SIP service provider.

Remediation

Service providers should ensure full validation of certificates before provisioning Poly Voice devices, including checking the certificate revocation status and validating the Common Name in the Subject Name field. Affected Poly Voice devices should be updated to the latest PVOS or UCS release using the Poly Lens Device Management App.