Hacked phones: IP access control / pubkey auth?

[jpoppenk]

Dear readers, Yealink support was of no help at all in resolving my issue. Take this into account when deciding upon your next purchase. However, I tried a few things that seem to be working. Based on my experience, here is some advice to fellow users:

1) New Yealink phones appear to have security open by default. Make sure to not only set a strong password, block IP calls, and trust SIP only from the server for *every account*, but also to set action_uri_limit_ip to some value (like 0), even if you are not using action uri's or have no idea what that is. Otherwise the whole world can (and will) remote control your phone.

2) You need to have a server and learn how to autoprovision to make your phone work properly, because at the time of writing, essential security features (such as block IP call) are not accessible from the web interface of all Yealink phones.

3) If you get hacked, don't waste time trying to figure out what they changed. Just hold the OK button for 10 seconds to reset your phone to factory settings. This was the only way I was able to prevent my phones from reverting to their pwned state. I suspect the hackers installed files that influenced operation beyond what is visible in the web interface.

4) If you're unfamiliar with VOIP phones, people are trying to hack your phone all the time. Make sure you get your security locked down right away. Also, due to apparent security flaws in these phones, a seven-letter password was insufficient. A 50-character password seems to be holding for now.