The flaws affect the company’s global automatic configuration service which provides VoIP phones with login credentials, phone books and call lists
IT security firm VTrust has uncovered a vulnerability in the automatic provisioning service of VoIP phone maker Yealink. VTrust’s research indicates that the company’s entire product line is susceptible to the flaws since the method is shared across all of its models. Yealink, a favorite choice for providers of cloud telephony services, is among the market leaders in its field and one of China’s most successful companies with a net income of 129 Million US-Dollars in 2018.
Because the flaws can be exploited remotely, via the Internet, it raises grave concerns for IT security and has serious implications for privacy protection as well. While attackers can’t access Yealink phones directly, they can still swipe users‘ login credentials, phone books, caller lists, programmed shortcuts and other user-specific information by hijacking the service. Potential applications range from unauthorized use of a subscriber’s VoIP account, resulting in exorbitantly high phone bills to industrial espionage.
VTrust approached c’t with their findings in November 2019, demonstrating an attack using several Yealink phones and a number of VoIP accounts. c’t subsequently reached out to Yealink to bring the vulnerability to the company’s attention. However, several emails to the sales and support departments remained unanswered for over two weeks, despite the fact that we emphasized the severity of the flaws.
It wasn’t until c’t emphatically requested to be given a contact through Yealink’s Facebook page that the company reacted and named a person in charge. The firm claims work on a fix has been given the highest priority and has meanwhile received detailed technical information on the exploit from VTrust. At the same time, VTrust reached out to more than 20 German VoIP providers that use or support Yealink products and may thus be affected by the flaws, sending them emails, faxes or registered letters by mail. Only three replied.
As of today, two months after our initial contact with Yealink, the company has yet to fix the flaws, find a viable approach to plugging the hole or at least mitigate the potential danger posed by the exploits. If nothing else, the company should easily be able to compile a list of companies that use the faulty provisioning technique and warn them about the vulnerability. To our knowledge, the company has taken no such steps.
VoIP Providers Can React – Users Not So Much
There isn’t much users of automatically configured Yealink phones can do to shield themselves, since the issue affects the server side of the mechanism. At least some VoIP providers offer an option to deactivate the automatic provisioning process through their customer portals. Even then it depends on the individual provider whether or not the vulnerable information becomes inaccessible to intruders.
VoIP companies, on the other hand, can take a few steps to counter the issue. After all, Yealink only specifies the provisioning technique, but not the server software. Among the possible emergency measures are monitoring access to the compromised services more closely and rate limiting to prevent mass requests. So far, none of the numbers c’t has seen are high enough to indicate active exploits. One of the providers that VTrust informed has countered the problem by introducing two-factor authentication.
If you are a provider of VoIP services and use Yealink’s provisioning method, you can get in touch with the author by email (firstname.lastname@example.org) or contact VTrust directly.
Update 02/07/2020 04:40 PM: Yealink has told c't that two factor authentication is being worked on as a solution to the flaws at full speed. The manufacturer wants to speak to us again when further measures are in place.