[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020

Yealink Forums » IP Phone Series » General topics v » Security bug in autoprovisioning

Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security bug in autoprovisioning
Author Message
clicks Offline
Junior Member
**

Posts: 10
Joined: Jan 2015
Reputation: 0
Post: #1
Exclamation Security bug in autoprovisioning
According to the German news site Heise there is a severe security bug in the autoprovisioning mechanism of all Yealink phones:
https://www.heise.de/ct/artikel/Grave-Vu...54617.html

Yealink has been contacted a few month ago, but isn't able to respond to this problem nor fix it. This has to be done immediately.
Will stop all purchase plans for our company if Yealink doesn't take security more serious.
02-07-2020 09:30 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
DarrenWilliams Offline
Junior Member
**

Posts: 6
Joined: Nov 2018
Reputation: 0
Post: #2
RE: Security bug in autoprovisioning
(02-07-2020 09:30 AM)clicks Wrote:  According to the German news site Heise there is a severe security bug in the autoprovisioning mechanism of all Yealink phones:
https://www.heise.de/ct/artikel/Grave-Vu...54617.html

Yealink has been contacted a few month ago, but isn't able to respond to this problem nor fix it. This has to be done immediately.
Will stop all purchase plans for our company if Yealink doesn't take security more serious.

I've just read this too, we have hundreds of phones on the RPS service, this is disgraceful if true.
02-07-2020 01:24 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
jolouis Offline
Moderator
*****

Posts: 339
Joined: Oct 2013
Reputation: 6
Post: #3
RE: Security bug in autoprovisioning
For anyone who's paying attention to this, Yealink just issued an update to all of their RPS subscribers noting that 2 factor authentication has now been implemented.

From the description of what they have changed I assume this is a direct response to the concerns brought up previously in the mentioned article. Since Heise never publically mentioned exactly what the problem was or how the attack took place I can't verify that for sure, but they did mention "lack of 2 factor authentication" as part of the problem, so sounds like this is how Yealink has addressed it.

I don't have all the technical details, but it seems like RPS now keeps track of device requests and once a device has contacted RPS once it will only be allowed to talk to RPS again if the user manually confirms the physical serial number, or the RPS account holder deliberately enables it to make another request.
02-12-2020 03:03 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
clicks Offline
Junior Member
**

Posts: 10
Joined: Jan 2015
Reputation: 0
Post: #4
RE: Security bug in autoprovisioning
Good to hear, hopefully it fixes the problem -although it will be difficult to verify until all details are public, as you already stated.
Hopefully Yealink will react a bit earlier in the future, without any pressure from the press.
02-12-2020 03:28 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Are legacy phones a security risk? Tinov 2 5,878 01-22-2022 07:41 PM
Last Post: Amelie Davis
  Yealink Shellshock Security Advisory Yealink Support 0 5,593 10-13-2014 10:56 AM
Last Post: Yealink Support

Forum Jump:


User(s) browsing this thread:

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication