Voip Hacking

I am using cnPilot R201 Router + ATA for my customers.

If i put the WAN in PPPoE mode with direct public ip address on the router, the SIP account is hacked and someone call all around the world. I have changed password of router and Sip Account. I am using firmware 4.3.4-R8 but without success.

Anyone has the same experience? Any solution?

Thanks.

We have had exactly the same experience about 6 months ago with two customers the only one we used r201’s with in pppoe + ata and had two hacks hitting our fraud caps luckily, we changed the sip details, router login, changed web gui ports etc same happened again.
Moved to using Paton ata’s on the lan side.

Hi

Refer below KB document of potential security considerations while putting the device in PPPoE/DHCP mode with direct public IP address.

Please make sure that user/ISP should change Non-default username/Password for different user types (Admin, Normal, and Basic) and READ/WRITE community string to non-default values in the router.

https://community.cambiumnetworks.com/t5/cnPilot-R-Series-Home-Small/Best-Practices-for-securing-your-R-series-WiFi-Routers/m-p/79608#M33

Regards

Niraj

Hacked an our CNPilot with the SIP registration (registration directly on the router). 

I need that Cambium to encrypt the configuration passwords if the configuration is downloaded !!!

Tell me that in the next firmware of the various CNPilot all passwords i will be encrypted...please...

Hi all,

isn't the DBID_SIP_PASSWORD value hashed?

Could this easily reversed?

I know that if someone has access from the internet to a SIP cpe the typical hacking is to put a call forwarding to a overseas destination to connect it.

The possibility to get complete sip credentials is critical.

Is this really possible with these devices and the actual vulnerabilities?

1 Like

Hi,

I wish to understand that all of you are following the recommendations in the Knowledge Base article pointed to by Niraj above  and still seeing the issues ? Or is it that you use default credentials, and/or WAN side access is open ?

thanks 

ashutosh

We read that page too late.

In any case, I wanted to point out this thing:

- when placing the IP in the SNMP field, the router should only accept TRAP from that IP while it accepts TRAP from all externally. Same thing I think applies to SSH / Telnet

SNMP.png

Cambium should therefore restrict access to a certain service only to the IP entered.

Hi,

in our case, for those routers, we have not default credentials but WAN access open to the world (that is...).

For my experience with other brand ATA, when someone gains access to the device, for the voip side config, just a call forward is possible, not the sip credential theft. Someone says is possible to export the clear password. Is this right? In my export file I see them hashed.

What about this scenario with 4.2.2 and 4.2.3 fw?

Thanks for the input. I will get back to you shortly.

--

ashutosh

Hi

With regards to your comment on the Trap Server address field, the purpose of this is only to send SNMP Trap notifications from the device to a Trap Server. 

This does NOT restrict SNMP SET/GET from any remote machine, as long as the operator knows the public/private community strings configured on the device.

Same is the case with SSH, if remote SSH (over WAN) is enabled on the device, then any remote machine would be able to access the device, provided they have the login credentials.

Let me know, if you mean't something more.

thanks 

ashutosh 


@ashutoshdattawrote:

Hi

With regards to your comment on the Trap Server address field, the purpose of this is only to send SNMP Trap notifications from the device to a Trap Server. 

This does NOT restrict SNMP SET/GET from any remote machine, as long as the operator knows the public/private community strings configured on the device.

Same is the case with SSH, if remote SSH (over WAN) is enabled on the device, then any remote machine would be able to access the device, provided they have the login credentials.


I believe it should limit access from the IP set (or at least add the option to do it).
If you do not want to choose this method at least put a big warning on the page before other providers lose a lot of money.