Yealink Forums

Yealink Forums > IP Phone Series > General topics > Security bug in autoprovisioning
Full Version: Security bug in autoprovisioning
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

clicks

02-07-2020, 09:30 AM
According to the German news site Heise there is a severe security bug in the autoprovisioning mechanism of all Yealink phones:
https://www.heise.de/ct/artikel/Grave-Vu...54617.html

Yealink has been contacted a few month ago, but isn't able to respond to this problem nor fix it. This has to be done immediately.
Will stop all purchase plans for our company if Yealink doesn't take security more serious.

DarrenWilliams

02-07-2020, 01:24 PM
(02-07-2020 09:30 AM)clicks Wrote: [ -> ]According to the German news site Heise there is a severe security bug in the autoprovisioning mechanism of all Yealink phones:
https://www.heise.de/ct/artikel/Grave-Vu...54617.html

Yealink has been contacted a few month ago, but isn't able to respond to this problem nor fix it. This has to be done immediately.
Will stop all purchase plans for our company if Yealink doesn't take security more serious.

I've just read this too, we have hundreds of phones on the RPS service, this is disgraceful if true.

jolouis

02-12-2020, 03:03 PM
For anyone who's paying attention to this, Yealink just issued an update to all of their RPS subscribers noting that 2 factor authentication has now been implemented.

From the description of what they have changed I assume this is a direct response to the concerns brought up previously in the mentioned article. Since Heise never publically mentioned exactly what the problem was or how the attack took place I can't verify that for sure, but they did mention "lack of 2 factor authentication" as part of the problem, so sounds like this is how Yealink has addressed it.

I don't have all the technical details, but it seems like RPS now keeps track of device requests and once a device has contacted RPS once it will only be allowed to talk to RPS again if the user manually confirms the physical serial number, or the RPS account holder deliberately enables it to make another request.

clicks

02-12-2020, 03:28 PM
Good to hear, hopefully it fixes the problem -although it will be difficult to verify until all details are public, as you already stated.
Hopefully Yealink will react a bit earlier in the future, without any pressure from the press.
Yealink Forums > IP Phone Series > General topics > Security bug in autoprovisioning
Reference URL's