1558343887_1521453556_Yealink_RPS

 

 

News hit the internet Friday when IT Security Firm VT Trust announced major security flaws in Yealink's Redirection Service. Yealink is now the number 1 global manufacturer of VoIP phones edging out Polycom.

What is a reduction service exactly?

yealink rps diagram

To sum up the diagram above, most VoIP device and IOT companies have a "call home protocol" which when a device is brand new out of the box or factory reset and the device is connected to the internet it connects to a manufacturer server do see if instant provisioning information is available so that devices don't need to be manually touched to setup a configure each time before they get deployed out in the field.

So imagine you are rolling out a new phone system, phone service provider, meeting room system, or even Microsoft Teams and you or your provider has utilized the Yealink RPS for instance provisioning, what will get exposed is the provisioning URL that the phones need to download it's unique profile to connect to the service of your choice.

So why is this security flaw a problem?

Well, if someone where to gain access to download the profile that gets downloaded to a device to register to phone system in this case than usernames, server ip's and fqdn's, and all the other things required to make a phone work properly would then be exposed in many cases. Once someone has this information it can be exploited to do bad things.

  • In phone system / provider land, this leads to what usually starts as fraudulent calls or toll fraud that can rack up quite a big phone bill.
  • Of course, other things could be exposed such as access to voicemails, company directories, and other things like call logs, call recordings, and so on which are problematic in their own right especially in industries with regulations around this type of data being exposed.

One tactic we have seen in the past....

is once a provisioning directly the houses profiles for several devices is exposed, someone can sequentially go up in the mac address range for any manufacturer until they get positive hits in a brute force style way. These attempt are as simple as taking any web url, dropping it into a browser address bar and then sequentially changing the address by  1 character. Of course, if scripted this type of attack can take days, weeks, or months until positive hits are returned. Since this is not an authentication attempt a lot of systems out there don't have adequate security measures for this. 

Ok, so no big deal, change the url, or IP address, credentials, and move on.

Well, no so fast. First, that may not be very easy to do especially when you may not control the back end systems to make this change. Second, the MAC address of a phone is not something that can be changed! It is a permanent thing unless you plan to replace one or all of your devices. So, what do you do? Delete your RPS entries, re-configure / redploy the back end system, manually reconfigure all of your phones? 

Thoughts

Each service provider needs to do extra things to help protect this from causes larger issues if they have no already.

Here at bvoip we have multiple ways to help avoid an attack of this nature. 

Provisioning Platform that sits in front of the actual VoIP system 

Instead of pointing an RPS system directly to the UC, VoIP, or Phone System directly, bvoip has a provisioning platform that enforces certificate checking which means that the system will deny the ability for something other than the device belonging to the MAC address to download it's profile.

In a future update, you can even narrow which IP addresses you which provisioning pulls to come from in lieu of certificate checking to lock down where request can come from even further.

VoIP / PBX Security Measures

In 2018, bvoip released Barricade for all of our partners free of charge. This is bvoip's approach to limiting access to access any particular account or system to only known devices or IP address. This is 2-factor approach to VoIP security which many system don't have an answer for out there.

If an attacker is never able to access a provisioning director or be able to access the system itself then likely they will move on to other targets without security measures in place!

What's going to happen at Yealink?

We have already seen unannounced changes pop up which could change the way Yealink allows its RPS to be accessed and used. We don't know the full extent of these changes or how we will need to react to be able to work with their redirection service. So far the early changes seem to be that Yealink is going to limit phones to only access it's RPS from 1 IP address. That may cause an issue if phones are being deployed out in the wild behind dynamic IP addresses and needed to be reprovisioned for whatever reason. Time will tell how things will work moving forward.