I am using cnPilot R201 Router + ATA for my customers.
If i put the WAN in PPPoE mode with direct public ip address on the router, the SIP account is hacked and someone call all around the world. I have changed password of router and Sip Account. I am using firmware 4.3.4-R8 but without success.
Anyone has the same experience? Any solution?
Refer below KB document of potential security considerations while putting the device in PPPoE/DHCP mode with direct public IP address.
Please make sure that user/ISP should change Non-default username/Password for different user types (Admin, Normal, and Basic) and READ/WRITE community string to non-default values in the router.
Hacked an our CNPilot with the SIP registration (registration directly on the router).
I need that Cambium to encrypt the configuration passwords if the configuration is downloaded !!!
Tell me that in the next firmware of the various CNPilot all passwords i will be encrypted...please...
isn't the DBID_SIP_PASSWORD value hashed?
Could this easily reversed?
I know that if someone has access from the internet to a SIP cpe the typical hacking is to put a call forwarding to a overseas destination to connect it.
The possibility to get complete sip credentials is critical.
Is this really possible with these devices and the actual vulnerabilities?
I wish to understand that all of you are following the recommendations in the Knowledge Base article pointed to by Niraj above and still seeing the issues ? Or is it that you use default credentials, and/or WAN side access is open ?
We read that page too late.
In any case, I wanted to point out this thing:
- when placing the IP in the SNMP field, the router should only accept TRAP from that IP while it accepts TRAP from all externally. Same thing I think applies to SSH / Telnet
Cambium should therefore restrict access to a certain service only to the IP entered.
in our case, for those routers, we have not default credentials but WAN access open to the world (that is...).
For my experience with other brand ATA, when someone gains access to the device, for the voip side config, just a call forward is possible, not the sip credential theft. Someone says is possible to export the clear password. Is this right? In my export file I see them hashed.
What about this scenario with 4.2.2 and 4.2.3 fw?
With regards to your comment on the Trap Server address field, the purpose of this is only to send SNMP Trap notifications from the device to a Trap Server.
This does NOT restrict SNMP SET/GET from any remote machine, as long as the operator knows the public/private community strings configured on the device.
Same is the case with SSH, if remote SSH (over WAN) is enabled on the device, then any remote machine would be able to access the device, provided they have the login credentials.
Let me know, if you mean't something more.