Obihai is deleting unwanted topics

[carl]

While the OBi can happily work behind a firewall, a firewall should not be required in order to assure protection of the device. What about remote users who have the OBi connected directly to a modem?

Not always. My Obi works fine behind a firewall with Google Voice  but there was nothing I could do with the 3600 HGV to let it work properly with Localphone,  with the result that my Obi is in DMZ and open to such possible attacks.
I am not overly concerned with Obihai's  access to my device nor with privacy which is quite an elusive thing in these days and latitudes, but I definitely think that Obihai should spend some effort in order to make the device secure from hackers.

[Mango]

While the OBi can happily work behind a firewall, a firewall should not be required in order to assure protection of the device. What about remote users who have the OBi connected directly to a modem?

I wouldn't suggest you run a VoIP device - or any Internet-connected device for that matter - without a firewall.

[ProfTech]

With Voice Services -> ObiTalk -> Enable -> UNchecked, dialing **5 alone is harmless. After a few seconds the Obi plays Fast Busy [error] and does nothing, as it should.

Update; I also tried **5 + [random 4 digit #] and did not see any changes in any Obi settings, even after a manual reboot.

[RonR]

With Voice Services -> ObiTalk -> Enable -> UNchecked, dialing **5 is harmless. After a few seconds the Obi plays Fast Busy [error] and does nothing, as it should.

Of course.  But try **5 + 4 or more digits and watch with Wireshark.

[RonR]

Update; I also tried **5 + [random 4 digit #] and did not see any changes in any Obi settings, even after a manual reboot.

Correct.  But if you send the 4 digits that the OBiTALK Web Portal is expecting for an Add Device, the OBiTALK Web Portal can still take control of your OBi even though you have Voice Services -> ObiTalk -> Enable -> UNchecked.

[MichiganTelephone]

Update; I also tried **5 + [random 4 digit #] and did not see any changes in any Obi settings, even after a manual reboot.

Correct.  But if you send the 4 digits that the OBiTALK Web Portal is expecting for an Add Device, the OBiTALK Web Portal can still take control of your OBi even though you have Voice Services -> ObiTalk -> Enable -> UNchecked.

Oh, get real.  First of all, sending a firmware update (even one you may not have expected) is not the same as "taking control of your Obi" except in your paranoid way of thinking.  Second, only an idiot would dial **5 plus the four digit code that the Obihai portal expects if they did not want to use the Obihai portal to manage their device.

You have beat this horse until it is dead and rotting, and now that it has been shown how to disable Obihai's access to your device (unless you go out of your way to re-enable it) you seem to be grasping for any straw to make the case that Obihai is doing something bad.  Now it appears you are at the point where you are saying that if someone deliberately tries dialing something that is only normally used to associate an Obihai device with the OBiTALK portal, they should be upset if it actually does get associated with the OBiTALK portal and the portal functions as intended.

If you hate Obihai so much — and you really must, considering the way you are always backstabbing them on BroadbandReports (and possibly other places we don't know about) — why don't you sell your Obihai devices and make a graceful exit, instead of sounding like a nagging wife that has grown to hate her husband, but would rather torment him than get a divorce?

I think you fail to understand that probably 99% of Obihai users really don't care if Obihai sends them a firmware update that fixes a problem.  It's only the people who have taken your bad advice, and a few other more technically oriented types, that would even try to disconnect from using the OBiTALK portal (not counting service providers here because they probably already knew about this) and even many of those people probably wouldn't really care if they received a firmware update, as long as it doesn't break anything.  So you have the handful of people who do have a valid reason for not wanting a firmware update, plus perhaps a few others who have an unreasonable paranoia, and it always amazes me that the latter group has an Internet connection to begin with.  They'd really be freaking out if they only knew what information their web browsers are sending out!

Whose interests should Obihai be more concerned about, the ~99% that just want their devices to keep working with minimal intervention on their part, or you and the handful of others that think like you, or that you have influenced?  Believe it or not, keeping you happy is probably NOT Obihai's primary concern.

It seems to me like there are a handful of people at most that are still really concerned about this — I keep seeing the same few names on posts that are still raking the muck over this issue.  The rest of the Obihai users just don't care, because they aren't like you.  For one thing, they want to use the OBiTALK portal because it makes it so much easier to configure their device, and for another, they might actually see it as an advantage if Obihai is proactive about keeping their devices working correctly.  Now, you might say "but I don't want Obihait to do that on my device!"  Well, fine, you now know how to disable Obihai's access to your device.  But if you still don't trust Obihai, there's always eBay or Craigslist — use one of them to sell your devices and find some other device manufacturer to stab in the back (and I suspect you would).  Or, you could try just giving it a rest already, and not being so damn annoying!

[VaHam]

I had hoped to avoid giving hackers ideas but it seems that the concern of some here is being missed; so I will spell it out.

Since as Sherman stated OBiHai does not "use" (read that as honor) the allow firmware upgrade and allow Remote Provisioning control bits as evidenced by the fact **5nnnn works even when the control bits have both been disabled locally this means that any server spoofing the OBiHai server could do the same thing after cracking the OBiHai authorization scheme provided they have access to the proper ports.  I will not go any further in talking about how that may accomplished; but I can envision scenarios where this can take place.  As someone pointed out being behind a good firewall is a great layer of security; but even that cannot be 100% since the OBi device has to have some port(s) open, at least at times, in order to function as a VOIP device and no I will not discuss that any more; those of you who understand probably already know about such things.

The assumption is that issuing the **5nnnn, by the connected phone, is the only method which would allow a sequence of commands between the OBi device and the server is to perform firmware upgrades or provisioning or as we have seen even re-enable the control bits.  I am not convinced this is the case.  The only way to be certain would be if OBiHai honored the control bits themselves internal to the code running on the OBi device.

You need only to look at the methods used to unlock SPA2102 to see how to do that sort of thing by making a device think it is connecting to a provisioning server.

Yes I realize that for this to take place remotely DNS modification would be required but if you think this is not possible then you should take a look at https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS and study the background surrounding that issue.

Call it paranoia, if you will, however I have been around long enough to know that if there is a way, there there is a will to exploit it by some; who are willing to go to great lengths to do so.  Scrutiny normally makes products better.

Does having the ability to perform a remote firmware upgrade constitute taking control?  Well if someone can change your firmware then yes they have completely taken control.

I can understand why OBIHai designed their software to be able to regain control even though the control bits have been set by the user to dis-allow this.  It is so that non-savvy users who have disabled these can be accommodated in spite of themselves. 

IMHO this does leave a potential security hole no matter how small which could be plugged with a very simple change to the OBi devices internal software; namely honoring the control bits absolutely. (including when connecting to the OBi servers)

I love my OBi's and I want them to continue to be GREAT devices!!!!!!

[Mango]

I agree with you on principle about how the devices should function.  However...

As someone pointed out being behind a good firewall is a great layer of security; but even that cannot be 100% since the OBi device has to have some port(s) open, at least at times, in order to function as a VOIP device

As long as you're not using manual port forwarding or DMZ, and your router uses restricted cone NAT, the ports would be open only to your VoIP provider, and the router should still block incoming traffic from other sources.

Yes I realize that for this to take place remotely DNS modification would be required but if you think this is not possible

It's certainly possible.  The bigger issue is that if I'm using rogue DNS, I've already been compromised.  Yes, a cracker could access my OBi device, but they could also access every other VoIP device I use, and any other device on my network.

[RonR]

Does having the ability to perform a remote firmware upgrade constitute taking control?  Well if someone can change your firmware then yes they have completely taken control.

I've posted about this in the past, but those posts were quietly deleted with no comment or explanation.

The capability in question is not simply one of being able to remotely update the firmware.  The code present in the OBi firmware allows Obihai to read (i.e. view) and write (i.e. change) all configuration settings (and presumably, any or all of the OBi's contents).  This capability exists even though ALL Auto Provisioning options are set to Disabled and a strong Admin password is in place.  This is not simply conjecture.  This comes from first-hand personal experience.  Although we're now told that disabling the OBiTALK Service (previously thought to be used only for OBi-to-OBi calls) will prevent such access, there's no way at this point to actually prove it with 100% confidence.

I've also stated in the past and want to reiterate that I'm not accusing Obihai of ever being involved in malicious behavior.  The problem is that without clear disclosure and the ability to confidently opt out of such a capability, the possibility for abuse by a rogue employee, a security breach within Obihai, or hacking exists.

[VaHam]

I agree with you on principle about how the devices should function.  However...

As someone pointed out being behind a good firewall is a great layer of security; but even that cannot be 100% since the OBi device has to have some port(s) open, at least at times, in order to function as a VOIP device

As long as you're not using manual port forwarding or DMZ, and your router uses restricted cone NAT, the ports would be open only to your VoIP provider, and the router should still block incoming traffic from other sources.

The key word there is should

If your router or any upstream DNS were infected with a rogue DNS (as some have been - ref: the fbi article) then the culprit could also masquerade as your voip provider. Again I think we both agree that having a good firewall is a sound practice for providing a layer of security; but it is only one layer.  Most folks also have a second firewall running on their desktop computer (a second layer of defense).  If all routers were perfect then the firewall on your desktop would be totally unecessary; alas they are not all perfect and hence IMHO having the firewall on my desktop is a valuable additional layer of security.

Do I view the way the OBi's are currently configured as some big security hole? Centainly not  Do I think the minor weakness could be addressed? Yes

Yes I realize that for this to take place remotely DNS modification would be required but if you think this is not possible

It's certainly possible.  The bigger issue is that if I'm using rogue DNS, I've already been compromised.  Yes, a cracker could access my OBi device, but they could also access every other VoIP device I use, and any other device on my network.

I agree that any other device on your network may be accessable but not that the culprit would have access to make any changes to the other devices configurations.  Whether or not your other devices are susceptible to being compromised would be up to the design of those devices.  A well designed device should itself have a layer of security internal to that device, just as your desktop computer uses a firewall.

The best method of assuring a devices security is to dis-allow modifications without physical access to the device. (i.e. pressing a button or having a jumper etc. on the device before allowing firmware updates).  The next best thing would be to have a permission bit (honored by all) to allow webaccess to the device only from the sub-net the device is located on and honoring the permission bits for updates and provisioning. The latter could be implemented by OBiHai in a software update if they so chose. Both methods would allow the user/owner to make choices on whether they want to receive automatic updates or not.

And everyone should test their DNS security frequently but I doubt that many do.

[jimates]

I know in the past when an Obi had trouble, Obihai has only ask for an email including the Obitalk # for the device. They never asked to set provisioning in a certain way, just provide the number. This did suggest that they had a way to access the device with minimal effort, and without proprietary settings on the device. If that is bad (for anyone in particular), then so be it.

For those that do not use google voice, and those that do not want Obihai to update your firmware, perhaps the new knowledge for settings will help.

This recent occurrence involved only a google voice problem. If google was really providing a service they may have fixed themselves (or not caused it in the first place). Personally, I prefer my device remain operable with google voice, even if that mean letting Obihai maintain it for that purpose. And considering all the info I knowingly put out to the world, I can't think of anything anyone could get through my Obi device that would be detrimental.

[VaHam]

I know in the past when an Obi had trouble, Obihai has only ask for an email including the Obitalk # for the device. They never asked to set provisioning in a certain way, just provide the number. This did suggest that they had a way to access the device with minimal effort, and without proprietary settings on the device. If that is bad (for anyone in particular), then so be it.

For those that do not use google voice, and those that do not want Obihai to update your firmware, perhaps the new knowledge for settings will help.

This recent occurrence involved only a google voice problem. If google was really providing a service they may have fixed themselves (or not caused it in the first place). Personally, I prefer my device remain operable with google voice, even if that mean letting Obihai maintain it for that purpose. And considering all the info I knowingly put out to the world, I can't think of anything anyone could get through my Obi device that would be detrimental.

As you pointed out the settings do not prevent OBiHai or under certain rare circumstances (as we have beat to death) others from modifying the software on the OBi device.

If your only using Google Voice then probably not much damage could occur if someone gained control of your OBi; however if you use any paid sip provider then this is another matter.  If they gained access and starting routing calls using your sip information then you'd get a bill for the use.

It is for that reason I only use pay as you go sip providers and never select auto pay.  That way my liability is limited to the amount of funds I place into the account.  Just another layer of security against a $100,000 phone bill.

[Ostracus]

You might want to read the comments and take that article with a grain of salt.

[nmssystems1]

I think it is great that they fixed there own service obi talk.. i use obi talk at 30 plus sites in fact it was the only thing working last week. when the gv died.. i knew that when i setup this phone system. that is why i have all the office call office to office using the obi talk service.. it should always work it is  part of the service that obi takes care of.. i understand that they can make changes to the device to make sure that the obi talk service works.. in fact i am glad they do take such action to make sure there obi service is up and runing all the time.. as far as the post being removed.. i understand that calling a back door in a device that has service from a vendor it not correct.. if you have the service obi talk and take advantage of the service on the device then you can expect they will make changes to the deivce or service any time they want..

so the admin was correct in removing the post and in explaining how the obi talk service works..

[MichiganTelephone]

I'm really surprised they don't delete more of RonR's posts.  He may be a knowledgeable user in some areas (such as Obihai dial plans) but it is obvious he is no friend of Obihai.

The thing is that there is a small percentage of users, I'd guess under 10%, that are what I would classify as paranoid about security.  They think you cannot possibly be too security conscious.  These are people who would sacrifice usability for security.  Every time they see an article where someone, somewhere in the world got hacked, they think they're next.

But the vast majority of people prefer usability to security.  To prove that you only need look at the relative acceptance of Windows vs. Mac OS X or especially Linux.  And while you could argue that OS X is getting more popular, that also has to do more with relative usability than with any sudden desire for increased security.  But at this point Windows is still the most popular OS, even though it's widely recognized as the least secure.  If the average user were more concerned about security than usability, Linux would have been the dominant OS a long time ago.

When it comes to a VoIP device, the vast majority of people just want it to keep working, and appreciate the update.  In fact, if Obihai could guarantee that an update couldn't "brick" a device (because the power just happened to get disconnected in the middle of an update), I'd have no problem with them sending every firmware update automatically.  So you have the vast majority of people who appreciate such updates, and a handful of complainers that are going to gripe about it.  Which group should Obihai cater to?  It's pretty clear that from the beginning they have wanted to create a device that average users (those without a lot of technical knowledge of VoIP) could set up and use.

Maybe guys like RonR will deem the Obihai too "insecure" for his tastes, since he seems to dwell on the negative and envisions bad things that might happen (the "if this, then that" fallacy, where in reality "that" does not, and in all probability never will, follow "this").  In that case, there are other VoIP devices out there that he could try; perhaps one of those would better meet his needs (personally I doubt it — I suspect he'd find some reason to complain about whatever device he uses).  But if Obihai had let almost their entire user base remain in a state where their devices would not work as expected until they figured out that they needed to upgrade their firmware (since I suspect that most of the people that have purchased an Obihai have done so to use it with Google Voice), I suspect you'd have seen a lot more people badmouthing the Obihai as unreliable over the last few days.

Please keep in mind that Obihai has to think about their entire user base, not just a few vocal complainers.  I'm not saying that they shouldn't attempt to satisfy as many users as possible, but sometimes if you do something that makes one group happy, it ticks off another.  Look at Microsoft, they have grudgingly attempted to tighten security a bit, but I doubt they will ever adopt the cumbersome permissions/ownership security of Linux/Unix (OS X uses it too, but has been more successful in insulating users from it).  They know who their users are and what they want, which is a computer that's as easy to use as possible.  I think perhaps that's the market Obihai is trying to capture as well, not necessarily the "security paranoid" types.

If I report a problem, I want Obihai to be able to look inside my device and figure out what's wrong and fix it, and I really don't care if I don't have to flip some switch or set some bit — in fact, I'd prefer it if I didn't have to.  If something that Google does requires a firmware update, I want Obihai to be able to send me the fix, and I might even prefer they do it before I miss any incoming calls because I don't know the problem exists.  If someone strongly feels otherwise, and doesn't fully trust that the method Obihai has given for disabling such access will work, then perhaps they are in the same boat as the person who refuses to run Windows and will only use Linux because they just don't trust Windows.  I'm not saying they are wrong, but they need to be realistic and understand that most people do not share their viewpoint.

Maybe someday, someone will come out with an open source VoIP adapter with airtight security, and it will take 10 years to get 5% of the VoIP adapter market (if what has happened with Linux is any guide).  But I don't think that is the market that Obihai is aiming for.

(And no, I don't run Windows - I have machines with both OS X and Ubuntu Linux.  I'm just making a point here.)

[Ostracus]

Hmmm, there just might be Linux under the hood.

[nmssystems1]

arm processor custom image.. and hardware interface to that kernel image.. for the obi..device..

then all the features that we pay nothing for after we buy the device and the upgrades..are free..

man what do people expect.. i wonder some days how much work that people expect for an admin or a company to do now days.

man these people should buy a piece of cisco gear some time..and see how much the maintance contracts alone cost..lol

may the force be with obi staff .. you work is not in vain and i am proud to use your product and recommend it to others..

[lhm.]

Good points made by each and every poster. (excluding myself)

Are we done here?

[Lavarock7]

Correct.  But if you send the 4 digits that the OBiTALK Web Portal is expecting for an Add Device, the OBiTALK Web Portal can still take control of your OBi even though you have Voice Services -> ObiTalk -> Enable -> UNchecked.


Then just add an IP block in your router... Your Obi will never be able to contact earth!

[VaHam]

In my opinion attempting to degenerate people who are discussing technical issues by using terms such as ("paranoid about security", "handful of complainers that are going to gripe", "dwell on the negative", "a few vocal complainers") is uncalled for. Genuine skepticism is very good thing and often leads to better ideas and products. From the preceding link

"Pseudo-skeptics often are typically disbelievers - i.e. they are firmly entrenched in believing "no" about certain things. Although they may "claim" that they are open to new information, they typically react with strongly unfriendly if not hostile criticisms when their beliefs and assumptions are challenged by new ideas and evidence."

Now back to technical issues!

First with regard to the notion that security conscious folks are paranoid, the old cliche comes to mind. Just because your paranoid doesn't mean there not out to get you.  There are in fact many examples out there of people incurring costs as a result of voip hacking.  Googling the terms "voip hack phone bill" yields over 1,450,000 links many many of which discuss real life instances where damage has been done. 

I know for a fact, from my system logs, that my own home systems have been scanned by hackers looking for voip vulnerabilities. The following links also appear to deal with voip security concerns:

http://michigantelephone.wordpress.com/2011/04/30/do-you-use-webmin-to-configure-iptables-and-also-run-fail2ban-dont-forget-to-do-this/
http://michigantelephone.wordpress.com/tag/security/
http://michigantelephone.wordpress.com/2010/11/16/link-interesting-security-technique-for-asterisk-and-freepbx-users-may-work-with-other-sip-based-pbxs-also/

Most savvy people in addition to placing their PBX servers behind router firewalls use iptables (firewall) running on their servers and fail2ban to detect attacks and other techniques to enhance their security.  I think the ratio of those savvy folks who are concerned enough about security to protect their PBX systems against attack to those who do not, would be more on the order of >90% who do to <10% who do not.

Regarding the issue of usability vs security

I certainly would agree that most people would choose to have good usability.  Security, problem detection/correction and functionality are all key to maintaining good usability and need not be mutually exclusive.

When questioned regarding how to control if and when updates occur the following statement was made:

To answer questions from RonR and VaHam...

The following parameter settings will disable OBiTALK services.
System Management -> Auto Provisioning -> OBiTALK Provisioning -> Method : Disabled
Voice Services -> OBiTALK Service -> Enable : (unchecked)

Auto Firmware Update & ITSP Provisioning are parameters used primarily by ITSPs (and managed services VARs). OBiTALK does not use either of these parameters.  Some individuals & organizations may use the Auto Firmware Update as described in this FAQ: Click Here

This statement is of coarse true and if one is not using the ObiTALK service then presumably (and as Mango's tests have confirmed) the Obi device does not attempt to connect the mothership (ObiHai's server).  If the device is not connecting then it's current ip address is not being reported to the ObiHai server and thus an update push cannot occur because OBiHai would not know what ip to send the push to. 

Now think about Ron's test which have been confirmed by others that a **5nnnn does not in and of itself changed the ObiTALK Provisioning or  ObiTALK Voice Services enable bits on and yet the ObiHai device gets provisioned.  Provisioning is a broad definition which in this case includes the ability to perform firmware update.  ObiTALK provisioning is a separate function from use of the ObiTALK service.  It appears to be that under normal circumstances the ObiTALK provisioning control bit is honored by ObiHai and when a new update is available that fact is displayed on the ObiTALK control webpage.  The user can then at their discretion click and begin a firmware update.  That decision however of whether to honor the control bits or not has to be taking place on the ObiHai servers and not in the devices firmware.  IMHO that decision should take place in the devices firmware and if auto provisioning is dis-allowed then no firmware update should be possible by anybody.  Apparently, although the ObiTALK auto provisioning and ObiTALK service are two separate functions, ObiHai has chosen to not allow the use of the OBITALK service without having the ability to auto provision so even if the ObiTALK provisioning bit is disabled under some circumstances such as last week they can push an update (provided of coarse they can find the ip address of the Obi to push the update to) at least that is what I deduce from Sherman's comments.  I would be interested to hear if any folks who had the ObiTALK auto provisioning disabled but the ObiTALK service enabled received a push last week or not. 

These decisions on how to act on control bit settings could easily be taken care of in the device itself instead of at the server.  Thus no usability or functionality would be changed, but control of whether automatic updates take place or not, would be firmly in the hands of the customer where they can make their own choices.
 
I would have no problem with the ObiTALK auto provisioning and ObiTALK service control bits being enabled by default (as delivered), as a direct function of a **5nnnn or even with a firmware reset; provided the decision took place in the device itself, thus making certain that there are no ways for the devices to be modified without the users control ("back doors") if you will.  Upon a power up I would expect them to be unchanged.

As MichiganTelephone eluded to in his statement " if Obihai could guarantee that an update couldn't "brick" a device (because the power just happened to get disconnected in the middle of an update), I'd have no problem with them sending every firmware update automatically".  Which is an excellent reason why automatic (server push) firmware updates should not take place; since ObiHai has no practical way of knowing the current circumstances at the Obi device's location. If your in the middle of a big thunder storm performing a firmware upgrade would not be a wise thing to attempt, if you wish to avoid bricking your device.  Now if I got my Obi's for free, or ObiHai agreed to replace any devices which became bricked during a server push firmware update I would not be concerned about that aspect of server push updates.

If the user, say has a UPS in place and is comfortable with accepting the risks associated with receiving automatic updates then they could also choose to turn on ObiTALK provisioning, which should be honored by ObiHai, and the push would take place without them being aware of it.  I think that should be up to the user to decide absoultely.   

The question was raised about promptly dealing with wide spread problems.  One method would be to blast a phone message to ObiTALK service users to inform them that an update was available.  The ObiTALK service has to be working in order for ObiHai to push out an update why not use it to inform the users, at least those using the ObiTALK service.

I would suggest a better method of dealing with that situation would be to send an email to all  customers informing them of the problem and notifying them that an update is available.  This method would help all and not just those customers using the ObiTALK service of the problem/solution.  The update could then be performed by the user when practical for them (like when the thunder storm has passed) either thru the webpage or by dialing **X to trigger an update.

A combination of the voice blast and email would be even better since it would cover those who had immediate access to either the Obi's phone line or email if they for instance are mobile at the time and receive their email via cell phone etc.

Even the evil Microsoft allows users to choose their own settings for automatic updates.  The user can opt not to receive them at all, receive them but not install them automatically or receive them and install them automatically.  But it is the customers choice!!!!!

There are many ways to skin a cat and if you can accommodate all, fairly easily, without sacrifice to others then I would suggest that is the best scenario.