Hacked phones: IP access control / pubkey auth?

[jpoppenk]

Dear Yealink,

I have three Yealink phones (T32, T46). I changed the password as soon as I received the phones (to an eight random character value), patched to the latest firmware and adjusted the setting to block IP calls, so the phones at least did not spontaneously ring any more. In spite of these steps, all of the phones were hacked to redirect calls to an international number.

I logged onto all the phones and turned off the forwarding, set new 50-character passwords, uploaded my backed-up config settings, checked the autoprovisioning (nothing there) and do not see any residual evidence of tampering. I also set my logging settings to level 6. But the next day one of my phones is again compromised. So perhaps there is a backdoor in the software.

I would like to take some security precautions, but am not sure how or whether they are currently possible:

1) I would like to remedy this by simply blocking all IP's except for my voip server and subnet. This should be straightforward on a linux based sytem like the Yealink phones (modify the /etc/hosts.allow file), but I can't find any information about how to do this. I found documentation on allow lists for action USIs but I suspect it is the web interface getting cracked.

2) I would like to use pubkey authentication for making changes to the phone settings rather than password access. Is something like this possible?

Thank you in advance for your help.