I am using cnPilot R201 Router + ATA for my customers.
If i put the WAN in PPPoE mode with direct public ip address on the router, the SIP account is hacked and someone call all around the world. I have changed password of router and Sip Account. I am using firmware 4.3.4-R8 but without success.
We have had exactly the same experience about 6 months ago with two customers the only one we used r201’s with in pppoe + ata and had two hacks hitting our fraud caps luckily, we changed the sip details, router login, changed web gui ports etc same happened again. Moved to using Paton ata’s on the lan side.
Refer below KB document of potential security considerations while putting the device in PPPoE/DHCP mode with direct public IP address.
Please make sure that user/ISP should change Non-default username/Password for different user types (Admin, Normal, and Basic) and READ/WRITE community string to non-default values in the router.
I know that if someone has access from the internet to a SIP cpe the typical hacking is to put a call forwarding to a overseas destination to connect it.
The possibility to get complete sip credentials is critical.
Is this really possible with these devices and the actual vulnerabilities?
I wish to understand that all of you are following the recommendations in the Knowledge Base article pointed to by Niraj above and still seeing the issues ? Or is it that you use default credentials, and/or WAN side access is open ?
- when placing the IP in the SNMP field, the router should only accept TRAP from that IP while it accepts TRAP from all externally. Same thing I think applies to SSH / Telnet
Cambium should therefore restrict access to a certain service only to the IP entered.
in our case, for those routers, we have not default credentials but WAN access open to the world (that is...).
For my experience with other brand ATA, when someone gains access to the device, for the voip side config, just a call forward is possible, not the sip credential theft. Someone says is possible to export the clear password. Is this right? In my export file I see them hashed.
With regards to your comment on the Trap Server address field, the purpose of this is only to send SNMP Trap notifications from the device to a Trap Server.Â
This does NOT restrict SNMP SET/GET from any remote machine, as long as the operator knows the public/private community strings configured on the device.
Same is the case with SSH, if remote SSH (over WAN) is enabled on the device, then any remote machine would be able to access the device, provided they have the login credentials.
With regards to your comment on the Trap Server address field, the purpose of this is only to send SNMP Trap notifications from the device to a Trap Server.
This does NOT restrict SNMP SET/GET from any remote machine, as long as the operator knows the public/private community strings configured on the device.
Same is the case with SSH, if remote SSH (over WAN) is enabled on the device, then any remote machine would be able to access the device, provided they have the login credentials.
I believe it should limit access from the IP set (or at least add the option to do it). If you do not want to choose this method at least put a big warning on the page before other providers lose a lot of money.