Obihai is deleting unwanted topics
MichiganTelephone:
Quote from: RonR on May 12, 2012, 07:43:39 pm
Quote from: ProfTech on May 12, 2012, 07:18:24 pm
Update; I also tried **5 + [random 4 digit #] and did not see any changes in any Obi settings, even after a manual reboot.
Correct. But if you send the 4 digits that the OBiTALK Web Portal is expecting for an Add Device, the OBiTALK Web Portal can still take control of your OBi even though you have Voice Services -> ObiTalk -> Enable -> UNchecked.
Oh, get real. First of all, sending a firmware update (even one you may not have expected) is not the same as "taking control of your Obi" except in your paranoid way of thinking. Second, only an idiot would dial **5 plus the four digit code that the Obihai portal expects if they did not want to use the Obihai portal to manage their device.
You have beat this horse until it is dead and rotting, and now that it has been shown how to disable Obihai's access to your device (unless you go out of your way to re-enable it) you seem to be grasping for any straw to make the case that Obihai is doing something bad. Now it appears you are at the point where you are saying that if someone deliberately tries dialing something that is only normally used to associate an Obihai device with the OBiTALK portal, they should be upset if it actually does get associated with the OBiTALK portal and the portal functions as intended.
If you hate Obihai so much — and you really must, considering the way you are always backstabbing them on BroadbandReports (and possibly other places we don't know about) — why don't you sell your Obihai devices and make a graceful exit, instead of sounding like a nagging wife that has grown to hate her husband, but would rather torment him than get a divorce?
I think you fail to understand that probably 99% of Obihai users really don't care if Obihai sends them a firmware update that fixes a problem. It's only the people who have taken your bad advice, and a few other more technically oriented types, that would even try to disconnect from using the OBiTALK portal (not counting service providers here because they probably already knew about this) and even many of those people probably wouldn't really care if they received a firmware update, as long as it doesn't break anything. So you have the handful of people who do have a valid reason for not wanting a firmware update, plus perhaps a few others who have an unreasonable paranoia, and it always amazes me that the latter group has an Internet connection to begin with. They'd really be freaking out if they only knew what information their web browsers are sending out!
Whose interests should Obihai be more concerned about, the ~99% that just want their devices to keep working with minimal intervention on their part, or you and the handful of others that think like you, or that you have influenced? Believe it or not, keeping you happy is probably NOT Obihai's primary concern.
It seems to me like there are a handful of people at most that are still really concerned about this — I keep seeing the same few names on posts that are still raking the muck over this issue. The rest of the Obihai users just don't care, because they aren't like you. For one thing, they want to use the OBiTALK portal because it makes it so much easier to configure their device, and for another, they might actually see it as an advantage if Obihai is proactive about keeping their devices working correctly. Now, you might say "but I don't want Obihait to do that on my device!" Well, fine, you now know how to disable Obihai's access to your device. But if you still don't trust Obihai, there's always eBay or Craigslist — use one of them to sell your devices and find some other device manufacturer to stab in the back (and I suspect you would). Or, you could try just giving it a rest already, and not being so damn annoying!
VaHam:
I had hoped to avoid giving hackers ideas but it seems that the concern of some here is being missed; so I will spell it out.
Since as Sherman stated OBiHai does not "use" (read that as honor) the allow firmware upgrade and allow Remote Provisioning control bits as evidenced by the fact **5nnnn works even when the control bits have both been disabled locally this means that any server spoofing the OBiHai server could do the same thing after cracking the OBiHai authorization scheme provided they have access to the proper ports. I will not go any further in talking about how that may accomplished; but I can envision scenarios where this can take place. As someone pointed out being behind a good firewall is a great layer of security; but even that cannot be 100% since the OBi device has to have some port(s) open, at least at times, in order to function as a VOIP device and no I will not discuss that any more; those of you who understand probably already know about such things.
The assumption is that issuing the **5nnnn, by the connected phone, is the only method which would allow a sequence of commands between the OBi device and the server is to perform firmware upgrades or provisioning or as we have seen even re-enable the control bits. I am not convinced this is the case. The only way to be certain would be if OBiHai honored the control bits themselves internal to the code running on the OBi device.
You need only to look at the methods used to unlock SPA2102 to see how to do that sort of thing by making a device think it is connecting to a provisioning server.
Yes I realize that for this to take place remotely DNS modification would be required but if you think this is not possible then you should take a look at https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS and study the background surrounding that issue.
Call it paranoia, if you will, however I have been around long enough to know that if there is a way, there there is a will to exploit it by some; who are willing to go to great lengths to do so. Scrutiny normally makes products better.
Does having the ability to perform a remote firmware upgrade constitute taking control? Well if someone can change your firmware then yes they have completely taken control.
I can understand why OBIHai designed their software to be able to regain control even though the control bits have been set by the user to dis-allow this. It is so that non-savvy users who have disabled these can be accommodated in spite of themselves.
IMHO this does leave a potential security hole no matter how small which could be plugged with a very simple change to the OBi devices internal software; namely honoring the control bits absolutely. (including when connecting to the OBi servers)
I love my OBi's and I want them to continue to be GREAT devices!!!!!!
Mango:
I agree with you on principle about how the devices should function. However...
Quote from: VaHam on May 13, 2012, 09:53:26 am
As someone pointed out being behind a good firewall is a great layer of security; but even that cannot be 100% since the OBi device has to have some port(s) open, at least at times, in order to function as a VOIP device
As long as you're not using manual port forwarding or DMZ, and your router uses restricted cone NAT, the ports would be open only to your VoIP provider, and the router should still block incoming traffic from other sources.
Quote from: VaHam on May 13, 2012, 09:53:26 am
Yes I realize that for this to take place remotely DNS modification would be required but if you think this is not possible
It's certainly possible. The bigger issue is that if I'm using rogue DNS, I've already been compromised. Yes, a cracker could access my OBi device, but they could also access every other VoIP device I use, and any other device on my network.
RonR:
Quote from: VaHam on May 13, 2012, 09:53:26 am
Does having the ability to perform a remote firmware upgrade constitute taking control? Well if someone can change your firmware then yes they have completely taken control.
I've posted about this in the past, but those posts were quietly deleted with no comment or explanation.
The capability in question is not simply one of being able to remotely update the firmware. The code present in the OBi firmware allows Obihai to read (i.e. view) and write (i.e. change) all configuration settings (and presumably, any or all of the OBi's contents). This capability exists even though ALL Auto Provisioning options are set to Disabled and a strong Admin password is in place. This is not simply conjecture. This comes from first-hand personal experience. Although we're now told that disabling the OBiTALK Service (previously thought to be used only for OBi-to-OBi calls) will prevent such access, there's no way at this point to actually prove it with 100% confidence.
I've also stated in the past and want to reiterate that I'm not accusing Obihai of ever being involved in malicious behavior. The problem is that without clear disclosure and the ability to confidently opt out of such a capability, the possibility for abuse by a rogue employee, a security breach within Obihai, or hacking exists.
VaHam:
Quote from: Mango on May 13, 2012, 11:30:16 am
I agree with you on principle about how the devices should function. However...
Quote from: VaHam on May 13, 2012, 09:53:26 am
As someone pointed out being behind a good firewall is a great layer of security; but even that cannot be 100% since the OBi device has to have some port(s) open, at least at times, in order to function as a VOIP device
As long as you're not using manual port forwarding or DMZ, and your router uses restricted cone NAT, the ports would be open only to your VoIP provider, and the router should still block incoming traffic from other sources.
The key word there is should :)
If your router or any upstream DNS were infected with a rogue DNS (as some have been - ref: the fbi article) then the culprit could also masquerade as your voip provider. Again I think we both agree that having a good firewall is a sound practice for providing a layer of security; but it is only one layer. Most folks also have a second firewall running on their desktop computer (a second layer of defense). If all routers were perfect then the firewall on your desktop would be totally unecessary; alas they are not all perfect and hence IMHO having the firewall on my desktop is a valuable additional layer of security.
Do I view the way the OBi's are currently configured as some big security hole? Centainly not Do I think the minor weakness could be addressed? Yes
Quote from: VaHam on May 13, 2012, 09:53:26 am
Yes I realize that for this to take place remotely DNS modification would be required but if you think this is not possible
Quote from: Mango on May 13, 2012, 11:30:16 am
It's certainly possible. The bigger issue is that if I'm using rogue DNS, I've already been compromised. Yes, a cracker could access my OBi device, but they could also access every other VoIP device I use, and any other device on my network.
I agree that any other device on your network may be accessable but not that the culprit would have access to make any changes to the other devices configurations. Whether or not your other devices are susceptible to being compromised would be up to the design of those devices. A well designed device should itself have a layer of security internal to that device, just as your desktop computer uses a firewall.
The best method of assuring a devices security is to dis-allow modifications without physical access to the device. (i.e. pressing a button or having a jumper etc. on the device before allowing firmware updates). The next best thing would be to have a permission bit (honored by all) to allow webaccess to the device only from the sub-net the device is located on and honoring the permission bits for updates and provisioning. The latter could be implemented by OBiHai in a software update if they so chose. Both methods would allow the user/owner to make choices on whether they want to receive automatic updates or not.
And everyone should test their DNS security frequently but I doubt that many do.
Navigation
[0] Message Index
[#] Next page
[*] Previous page