Obihai is deleting unwanted topics

[Dan_voip]

Earlier was a topic about OBi devices who got the new firmware despite the fact the firmware update was disabled.
http://www.obitalk.com/forum/index.php?topic=3225.0
Now is gone and I'm disappointed by Obihai.

[crazyk4952]

I can say with certainty that I will no longer purchase another OBi product and I will no longer recommend people purchase them.

OBi you have lost my trust. Why did you build a backdoor into your product? And why are you trying to hide that fact?

[Ostracus]

Mmmm, I'm not certain it's "hidden". It's practically implied with the partner provisioning guide and the Obiplus program.

[jimates]

I can say with certainty that I will no longer purchase another OBi product and I will no longer recommend people purchase them.

OBi you have lost my trust. Why did you build a backdoor into your product? And why are you trying to hide that fact?

We've always known it was there.

[whee]

Mmmm, I'm not certain it's "hidden". It's practically implied with the partner provisioning guide and the Obiplus program.

Sort of. If you register your device and start configuring it through the dashboard, it's pretty obvious they are doing something to control it remotely. But given it's you configuring it, it's implied you're okay with that.

When your device isn't registered with their dashboard and you have explicitly disabled all provisioning on the device and they still have control and push updates, that is worrying.

Even if we assume each device is uniquely keyed and all communications between Obihai and the device is encrypted, you are unknowingly hosting an attack vector. If Obihai is compromised, there is nothing stopping custom firmware being uploaded to all devices and acting as a botnet. Or sniffing your SIP traffic and shuffling it off somewhere. Or anything, really.

I think remote control is a fantastic feature for supporting less technical customers, but it should have some semblance of being under your control. Make me answer the phone and enter a PIN before a remote user gains access -- even if they really still have control but are doing it to make you feel better.

As it stands, I can't trust my OBi110 will always work. I know it's configured correctly. I know it's working right now. I know I disabled every automatic thing I could. It still may be updated without my knowledge, introduce a bug, and break when I need it.

The more technical-minded of us may have always understood it was "backdoored," but fiddling with configuration without your consent is disturbing.

[MRTT]

Whee, You say exactly what I was thinking!

There are reasons i had my auto firmware disabled, dang it!  I'll roll back to what I had... if I can
... and pretty soon I'll be looking at some wireshark captures or just put some serious restrictions on what traffic is allowed from my obi... I'm guessing it phones home every so often.

What was the point of forcing this update on obi's that don't use GV?

Ugh.

--
MRTT

[RonR]

I think remote control is a fantastic feature for supporting less technical customers, but it should have some semblance of being under your control. Make me answer the phone and enter a PIN before a remote user gains access -- even if they really still have control but are doing it to make you feel better.

An OBi that is not associated with the OBiTALK Web Portal, has ALL its Auto Provisioning and Auto Firmware Update options set to Disabled, and has a strong ADMIN password in place, can still have its contents viewed, altered, or updated by Obihai without the knowledge or consent of the owner.  It goes much further than just firmware updates.

[Hortoristic]

Probably a call someone had to make - force update on everyone and fix most, and deal with exceptions

[Felix]

GM can access OnStar devices, OBiHai can access your VoIP adapters, and local utility company can access your thermostat - everything for your benefit, of course!

What they say? Just because you are paranoid doesn't mean that they are not after you 

[Lavarock7]

GM can access OnStar devices, OBiHai can access your VoIP adapters, and local utility company can access your thermostat - everything for your benefit, of course!

Companies that you allow to direct deposit money into your bank account can also debit money from that account.

Life is never a one-way street.

[QBZappy]

I started the thread that was removed.

It was an honest technical question on how the units were updated despite settings to prevent it. I think it is the first time one of my posts has been removed. Removing valid questions of a technical nature "does not help the cause" of selling the units. Next we will be asking ourselves if they have the ability to listen/record our conversations??? OBihai, how you handle this issue of trust can have a direct impact on your future sales. You are giving us the impression that there is a dark side to operating the OBi ATA. I don't have this concern with my other equipment providers. Imagine if you suspected your router manufacturer to keep track of what sites you are visiting.

Now that this topic has been tagged, I don't expect this post to last.

[Dan_voip]

OBi you have lost my trust. Why did you build a backdoor into your product? And why are you trying to hide that fact?

We've always known it was there.

How did you know, it's in the manual, on their web site somewhere, an Obihai public announcement?
With all update, provisioning and Obitalk disabled are they still able to access the device?
If that's true it's totally wrong.

Obihai can you comment on that or if was posted somewhere can you provide a link please?

[Felix]

Obihai can you comment on that or if was posted somewhere can you provide a link please?

OBi silence on this topic is deafening! As they said in Nixon years - it's not the mischief that gets you; it's the cover-up!

[MichiganTelephone]

I just want to know, do those who claim to have received the update but think they shouldn't have, have all of the following settings as shown:

System Management | Auto Provisioning | Auto Firmware Update: Method: Disabled
System Management | Auto Provisioning | ITSP Provisioning: Method: Disabled
System Management | Auto Provisioning | OBiTALK Provisioning: Method: Disabled
Voice Services | OBiTALK Service | Enable (Unchecked)

Especially check the last one because I'm being told that's the one that's important — you must have OBiTALK Service disabled or you may still get the updates!

[ShermanObi]

Hi Everyone,

As most all of you are aware, an OBi device can make calls to other OBi devices and soft phones (running on smart phones, tablets and PCs) out-of-the-box.  Customers use this capability to make calls to OBi devices to ring its attached phone or to bridge a call to a regular phone number -- using the OBi device as a VoIP gateway.

To maintain OBiTALK OBi-to-OBi calling functionality (and related features), Obihai may make configuration or software modifications to devices that use the OBiTALK Service. Otherwise, when there is a 'service' affecting issue, we may need to update its config or software. This is memorialized in the OBiTALK terms of service and this is what we did on Wednesday. There are no backdoors on Obihai products.

Service providers with whom we do business have access to additional provisioning capabilities that, depending on how they utilize the OBi device remote configuration process, can affect how the device behaves in relation to available OBiTALK-driven services.  Just like individual owners of Obihai devices, service provider owners have 100% control over how the device operates.

By keeping OBiTALK Service and OBiTALK provisioning enabled, the following services are available today (more will be available in the future):

• OBi-to-OBi Calling

       Including: Calling to/from your OBi to/from the OBiON for iPhone or Android and OBiApp for PC

• OBi-to-OBi-to-SIP or Google Voice Service Calling (and vice-versa)
• OBiTALK Device Configuration

       Including Configuration of SIP and Google Voice Service(s)
       Emergency Calling Service Set-Up
       Convenient Setting Time-Zone, Attendant PIN, etc.

• OBiTALK Circle of Trust Invites / Acceptance
• Speed Dial Configuration Across All Your OBi Devices & Soft Phone
• Assignment of Trusted Callers' Phone Numbers for Access to the OBi Attendant for Service Bridging
• OBi Expert Cloud Based Configuration

       By the way: We are Fixing the Config Import Function

• Direct Support from Obihai via e-mail or Phone

As for deleting topics (and posts) on the OBiTALK forum, we do this very rarely, but topics (or individual posts) are deleted when they contain falsehoods and/or inaccurate information that would be misleading and unproductive to the OBi user community.  We want the forum to be place where a user can go to learn about how to use an OBi product without fear they will receive false information that would hinder their ability to use the product.  QBZappy is one of the forum's top contributors and a valuable, knowledgeable asset to the community.  QBZappy's topic-creating post was not the offending one, but there were several other posts that made there, making that particular thread worthless to the community. So we deleted it.

Thank you,
Sherman
sherman@obihai.com

[RonR]

Just for clarity...

In order for individual owners of Obihai devices to ensure their devices cannot be accessed, altered, or updated by Obihai in any way, all of the following options must be set:

System Management -> Auto Provisioning -> Auto Firmware Update -> Method : Disabled
System Management -> Auto Provisioning -> ITSP Provisioning -> Method : Disabled
System Management -> Auto Provisioning -> OBiTALK Provisioning -> Method : Disabled
Voice Services -> OBiTALK Service -> Enable : (unchecked)

Please confirm that after these options are set, Obihai will have no ability to access the device in any way.

[VaHam]

To maintain OBiTALK OBi-to-OBi calling functionality (and related features), Obihai may make configuration or software modifications to devices that use the OBiTALK Service. Otherwise, when there is a 'service' affecting issue, we may need to update its config or software. This is memorialized in the OBiTALK terms of service and this is what we did on Wednesday. There are no backdoors on Obihai products.

Can you provide a list of all settings required to disable ObiTalk and any other features necessary so that OBi devices can no longer be accessed by anyone other than the physical owner/user?

Users who are concerned about security over features can then make a choice as to which they prefer.

[Mango]

I too would appreciate an official response to RonR's post above. 

Also, please confirm that with the settings RonR quoted, OBi devices have no way to "phone home" or otherwise spontaneously make any attempt to provision themselves or upgrade their firmware, without the explicit action of the end user.

[ShermanObi]

To answer questions from RonR and VaHam...

The following parameter settings will disable OBiTALK services.
System Management -> Auto Provisioning -> OBiTALK Provisioning -> Method : Disabled
Voice Services -> OBiTALK Service -> Enable : (unchecked)

Auto Firmware Update & ITSP Provisioning are parameters used primarily by ITSPs (and managed services VARs). OBiTALK does not use either of these parameters.  Some individuals & organizations may use the Auto Firmware Update as described in this FAQ: Click Here

[Mango]

You have not explicitly answered RonR's, VaHam's, or my questions.