[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
GOT HACKED... THERES AN ENTRYPOINT in W52P
Author Message
fseesink Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #8
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P
Ok, no luck getting a response about the black listing. So here's what I tried to email you and the others you listed (Tony, Mike, and Flora) the other night regarding this. And since your forum editor is crap, as none of the toolbar buttons work (showing "undefined" tags for everything), I'm manually doing things to format this for now. Apologies if you didn't want this posted publicly, but Yealink left me little choice since your support infrastructure leaves much to be desired. Hopefully this post will actually work.


Quote:On Oct 24, 2013, at 2:36 AM, Ailsa <ailsa@yealink.com> wrote:

Hi fseesink,

I am ailsa from yealink technical support team. We treat your hacker attack as highest priority.
I want to check about the attack issue scenario with you.
1. You phone has an public address
2. You have strong admin password and user password
3. The hacker forward line 1 to 011970597202522
4. And remote control line 1 to call out?

Correct on 1-3. I'm not sure I understand what you mean by 4. The phone's configuration was compromised, but I found nothing in my ITSP logs to indicate any outbound calls were made, if that's what you're asking. I simply noticed that the phone was set to forward (arrow indicator in upper right corner) and the odd number, clearly neither of which I did.

Quote: In order to debug and avoid this kind of issue, Please try below steps:
1. To disable some settings in remote control and fill the ip address of allow
<image003.jpg>

Ok, before we go much further, I need to make sure we are clear on something. The screenshot you reference is clearly to a phone running V71 firmware. At the time when my phone was compromised, it was running V70 (2.70.0.150) firmware. I have since updated the firmware to V71 (2.71.0.140), so it does NOW look like the screenshot you provided.

Quote:2. Get strong and complex password about admin and user
3. Keep your password secret and set a firewall at best.

Already done other than firewall bit. Note the point of reporting this was that while best practice in a production environment would be to keep your VoIP phones behind a firewall on a segmented VLAN, this particular phone is my personal one used to connect to an ITSP for my use. And this is not an uncommon circumstance, hence my notifying Yealink of the issue as clearly there are problems with security as outlined online:

http://www.securityfocus.com/archive/1/529420
http://www.youtube.com/watch?v=2yN_-g-0PAk
http://www.youtube.com/watch?v=BjI5gkFUzOo
https://www.dropbox.com/s/hp5fj7e7o1mdny...sucks.pptx

Quote:4. Please set syslog level 6 and export the sysylog after the hacker does something in your phone. Then we can debug in yealink.
Thanks for your cooperation.
<image005.png>

Just a note here. It would be helpful if you explained where these particular settings are located, as your screenshot does not make that clear. It took me awhile to find it under 'Settings' tab, 'Configuration' submenu.

Quote: For the issue of V71, Please reset to factory and try again.

??? I'm not sure you are understanding what I have posted. Again, at the time when my phone was compromised, it was running V70 (2.70.0.150) firmware. I have since removed the forwarding number, changed the admin password on the phone to be safe, and updated the firmware to V71 (2.71.0.140). Thus far the issue has not re-occurred. I simply posted to inform Yealink of the issue. Googling later revealed what I found above in those links. My posts were a courtesy to Yealink that they have an issue that they need to address, as I'm sure many people have your phones and are still using vulnerable firmware versions.

Quote:1. Do you upgrade version using auto-provisioning?

No. I upgrade manually using the Web UI.

Quote:2. Do you use a latest template of common.cfg? You can refer to below files.
http://www.yealink.com/Upload/T2X/T2X-V7...ioning.zip
http://www.yealink.com/Upload/T2X/T2X-V7...71_141.pdf

Not sure if this applies since I'm using this particular T28 as an individual phone. It's not part of a larger set or being auto provisioned, etc.

Quote:3. If the issue is still on, please supply us config.bin and syslog level 6.
Before you export the syslog, please set log level as 6, and reboot the phone, then click Start,and reproduce the issue, then click Stop, and export syslog, config,bin to us.
You can also refer to below guide.
ftp://Ailsa@ftp.yealink.com/How_to_get_t..._Trace.pdf

<image006.png>

Ailsa,

Do you need me to turn on the logging now that my phone is running V71 code? That is, is Yealink still having issues with this for users with V71 code installed? Or was all of this related to the fact that RPS was enabled by default in V70 firmware as indicated on slide 6 of the PowerPoint file referenced above? If there is still a security issue, I will do as you ask IF I ever find the phone compromised again.

For the moment, my phone is fine. It's running V71, has a new admin password, but for the rest is sitting exactly where it was when I found it compromised; i.e., it's on a public IPv4 address. So far, nothing has happened to the phone.

A VoIP phone SHOULD be safe in such a config. If this issue is as bad as it seems to be, Yealink needs to make it clear to customers what's involved and what needs to be done to secure the phones. While best practice is to layer security and protect the phones behind firewalls, that's no excuse for vulnerable firmware.

Finally, my comments below about my experience with the Web UI after upgrading to V71 (2.71.0.140) are not about security, but simply software bugs. The 'Advanced' submenus are coming up with blank pages. I suspect that's not what I should be seeing.


Quote:Best Regards

Ailsa Wu
Technical Support Engineer
Yealink Network Technology Co., Ltd.
Tel: +86-592-5702 000 ext:8519
Skype: ailsa.wu2
Email: ailsa@yealink.com
Website: http://www.yealink.com
Follow us on Twitter/Facebook for Yealink latest news!
<image001.png>

http://forum.yealink.com:81/forum/showth...hp?tid=812
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

In dealing with the hacking issue, I upgraded my SIP-T28P from V70 to V71 (2.71.0.140). However, there are clearly some bugs in the new Web UI.

For example, any attempt to visit the 'Account' tab | 'Advanced' results in a blank page. The same goes for 'Network' tab | 'Advanced'. All other tabs and subsections come up fine.

Other than these glitches, though, it's a very nice looking UI.


(Oh, and whoever configured the editor for this forum, none of the formatting buttons like bold or italic work. Just one more red flag.)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This isn't restricted to the W52P. I have a Yealink SIP-T28P which apparently has suffered a similar fate. I just noticed this tonight, which eventually had me Googling and landing on this thread. Only in my case, line 1 was forwarded to 011970597202522. If I read this right, that's an international number (011) in Palestine (country code 970).

As for my SIP-T28P, it's running

Firmware Version 2.70.0.150
Hardware Version 1.0.0.4

The unit sits on a publicly accessible IP address, but much like frankc, I use rather cryptic passwords.

It would be very nice if Yealink would not only address the issue, but inform its customers as to the exact nature of this hack.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10-27-2013 12:23 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Messages In This Thread
RE: GOT HACKED... THERES AN ENTRYPOINT in W52P - fseesink - 10-27-2013 12:23 PM

Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  W52P not working after change of broadband supplier Jasibansel 1 514 01-22-2024 07:15 PM
Last Post: complex1
Sad W52P not picking up IP Burkni 4 4,170 09-19-2023 06:22 PM
Last Post: Burkni
  W56H with W52P Base dmvcomms 7 7,428 03-06-2023 04:39 PM
Last Post: poznaniak
  W73H handset with W52P problem reboot Paco Brufal 2 2,813 03-03-2023 01:21 AM
Last Post: nolto
  W52P Repeater RT10/rt20/RT30 schnell-yealink 3 8,658 04-20-2022 10:17 PM
Last Post: complex1
  W52P Firmware upgrade aunijaffer@gmail.com 5 12,359 09-07-2021 11:42 PM
Last Post: complex1
  W52P 2 handsets DAZZLING 1 6,951 06-01-2021 09:55 PM
Last Post: complex1
  W52P Openvpn with mikrotik info@quantiss.com 4 17,342 04-11-2021 06:25 AM
Last Post: Harms_Kubiak
  Is there no call history in web management panel in W52P? poznaniak 1 7,656 08-10-2020 12:49 PM
Last Post: complex1
  W52P factory reset without password ralph 1 9,557 04-02-2020 03:05 AM
Last Post: Yisroel_MongoTEL

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication