News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

OBi110 firmware updated Aug-24-2014 to Ver 1.3.0 (Build 2872)

Started by bluechip, August 24, 2014, 02:23:20 PM

Previous topic - Next topic

R_Chandra

Hmmmm...so this is a little unfortunate.  Apparently, it is now impossible to use an OBi110 with Google Voice without the OBiTalk portal.  Sigh....

I suppose, it's impossible unless you happen to know what the portal is doing, and do similar things to the OBi110.  I would guess it's something to do with getting an OAuth token then storing it in the unit.  Still...this is annoying.  I want to be able to do everything to my device locally, and not rely on/disclose anything to another party.  Rats.  Well, what can you expect for $50 I guess?

BTW...I really think that's what it's doing, getting an OAuth token. Some of you posters were saying it was a "completing the firmware update."  Call that what you will, but I call it updating firmware when you change the stored program, and this would SEEM to be merely a configuration change.

lrosenman

OAuth(2) is MORE secure than the old way, and doesn't expose your password over the wire ALL THE TIME.

Yes, you now need to set up Google Voice via ObiTalk.   It does NOT get in the way of you doing Expert Config or other changes.

Why are you so opposed to ObiTalk?

R_Chandra

When ObiTALK is unavailable (as simple as a routing snafu where Google is accessible but they aren't, or in particular, if Obihai were to go out of business) and I want to change my ATA, what then?  Why are Obihai's servers necessary to fetch my token?  Why can't the OBi110 fetch it itself? Is Obihai merely passing that token through, or are they storing somewhere?

I'm not questioning the authentication strength of OAuth versus whatever was being used before, I'm questioning why it needs to go through a third party, and all the security implications THAT has.  If you trust Obihai to do everything fine every time, that's great.  I'm sure that's what the Target, Home Depot, Anthem, etc. folks thought too.  Obihai seems to be one link in the chain which shouldn't need to be there.

I would even be semi-happy if Google Voice could be set up, then be able to change the admin password on my device and delete it from ObiTALK.  But if you do that, it deconfigures your GV ("Service not configured"), and resets your admin password to the default of "admin".  If you don't delete it from ObiTALK, it resets your password to what it thinks it should be and reboots your OBi.  That in itself is quite troubling, because that implies they're STORING MY DEVICE'S ADMIN PASSWORD IN PLAINTEXT.  Ask ANYONE who programs things which are supposed to be secure, such as password handling routines, and they will explain that NO password should even show up on the page after provisioning, yet it appears on the ObiTALK page after I click on the device name in my dashboard!  It's not even obscured by asterisks or anything, so anyone happening to see my monitor can now screw with my OBi110.  "Expert config" sucks because it reboots the box after EVERY change; you can't batch up a few (pages of changes) and THEN reboot.  I don't want my firmware being updated potentially every day, but once again, if you vary from the Obihai Rx, you're slammed down, your changes are reverted, and your box gets bounced.  Even if you change that in "Expert mode" on the Web site, logging directly into the device begs to differ, it says it will still probe every 86400 seconds. ( I don't know what was happening when I looked, but now Disabled/Disabled seems to have been pushed to my device)

lrosenman

I believe(!) you can turn off device provisioning, just not delete it from ObiTalk.

SteveInWa will probably drop by with more info.

I also don't believe that ObiTalk is needed for call routing to/from GoogleVoice.


R_Chandra

Quote from: lrosenman on March 05, 2015, 06:22:25 PM
I also don't believe that ObiTalk is needed for call routing to/from GoogleVoice.
I have yet to get anything but "Service not configured" when trying to set up GV outside of the ObiTALK portal.  If you have been able to do so, I'm all eyes on how to do that.

lrosenman

SETUP *MUST* be done on the portal, HOWEVER, once setup, you should be able to turn off the provisioning via ObiTalk, and you must not DELETE the Obi from the portal.

R_Chandra

Huh....would you look at that?  I see different results tonight.  I apologize...Disabled for FW update and Disabled for autoprovisioning is now working; last night it didn't seem to be so.


SteveInWA

Keep in mind:

The OBiTALK portal method of setting up Google Voice was developed specifically to not supply your login credentials to Obihai. So, the argument about the Target and Anthem data theft is moot.

When you use the portal to sign up, it is using Google's OAUTH 2.0 setup routine.  If you were paying attention, you would have seen that it opens a new browser window, directly logged into your Google, not OBiTALK, account, where Google asks you, the person signed into your Google account, if you would like to give your device permission to use a service on your Google account.  This is a normal, direct, TLS-secured web browser session between your computer's web browser and Google...not Obihai.  When you agree, the secure token exchange takes place.  Obihai never gets your password, and the only thing that you have done is to grant your OBi device to access a service on your Google account.  

By the way, Obihai has leveraged this same system to now support direct import of your Google Contacts to a OBi 10x2 IP phone's address book.

This is a far more secure method of configuring the device than giving Obihai your Google password.

As Irosenman explained, after you have done this, the OBiTALK portal has no further communication with your OBi device at all, with regard to Google Voice calling.  

Azrobert did a nice job writing up how to use this procedure to configure GV, and then "go offline" by backing up your device configuration, if you so desire.

http://www.obitalk.com/forum/index.php?topic=8685.msg57331#msg57331

R_Chandra

Oh, yes, I was quite aware of the session popping a new tab (in my case) for Google to ask me to authorize three permissions on the first pass, and a single one on a subsequent pass.  I know my Google credentials were never touched by anyone except me and an instance of Firefox.  That's not in question.  The problem remains, where does the TOKEN go?  Under what circumstances can the token be used to authenticate as me?  Does the token go first to Obihai's server(s) and THEN to my OBi110?  You seem to say it somehow makes it straight from Google's servers to my OBi110.  It does not seem that way offhand, because the next step is to confirm that my GMail address is the one intended, THEN my OBi110 can log into GV.  Yep, I plead ignorance at the moment because I haven't broken out neither tcpdump nor Wireshark yet.

It still remains a nearly indisputable fact that passwords should never be stored, but that's what ObiTALK does with the admin password for my device.

I'm pretty sure this will prove a very good read, how to detach from ObiTALK. Thank you very much for that.

SteveInWA

Dude:  just use a unique, strong password for your OBiTALK portal account.  BFD.

No, nobody is going to get into hacking the token exchange procedure here.




Willy-Bill

I'm not concerned with the token being stored, and sent to the device during provisioning updates.  However, passwords not being stored anywhere is kind of moot, as it has to be stored somewhere.  If you use online provisioning, if that password wasn't stored, then it would be erased upon update of the provisioning. 

BTW, Hey Steve (aka Bluescat). 

SteveInWA

Quote from: Willy-Bill on March 15, 2015, 10:44:57 PM
I'm not concerned with the token being stored, and sent to the device during provisioning updates.  However, passwords not being stored anywhere is kind of moot, as it has to be stored somewhere.  If you use online provisioning, if that password wasn't stored, then it would be erased upon update of the provisioning. 

BTW, Hey Steve (aka Bluescat). 

Hey Willy-Bill!  Do I know you?   My cat in my profile photo is Willie, btw.

I'm not sure what point you are making, but I think you are referring to password entry during the process.  Just to clarify:  when a user goes through the OBiTALK portal to set up OAUTH 2.0 authentication, Obihai is not involved in the user's Google password exchange.  The user first signs on to their Google account, on a typical Gmail or GV web page, which is a authenticated and encrypted channel between Google and the user's browser.  Obihai isn't involved in that at all.  After the user is signed in, as indicated by various session cookies, the user logs into the OBiTALK portal in another browser tab, and kicks off the OAUTH 2.0 setup.  At this point, OBiTALK sends a request to Google to grant OBiTALK permission to access a service on the (already signed-on) Google user's account.  Then, the user gets a pop-up window, on a new, secure Google web page, already signed into their Google account.  This pop-up is where the user says "yes, OBiTALK can access service xyz on my account", and after that point, the secure token is transferred from Google to OBiTALK to the device.  So, at no point does Obihai have the user's Google password.  In fact, right after performing this procedure, the user can change their Google password, and not have to go through the setup again.

At any time, a Google user can view and, if necessary, revoke this permission, here:

https://security.google.com/settings/security/permissions

I hope this helps.

-DC-

I updated the firmware on my OBi110 to 2872 and now when I'm in the middle of a phone call the device likes to reboot itself, which also terminates the call. I've done a reset and that didn't fix the problem. At this point I'd be satisfied with downgrading back to the older (working) firmware but alas, it is nowhere to be found! Help?

SteveInWA

Quote from: -DC- on March 31, 2015, 06:44:17 PM
I updated the firmware on my OBi110 to 2872 and now when I'm in the middle of a phone call the device likes to reboot itself, which also terminates the call. I've done a reset and that didn't fix the problem. At this point I'd be satisfied with downgrading back to the older (working) firmware but alas, it is nowhere to be found! Help?

Your issue is unrelated to the firmware upgrade, or to this discussion thread.  I haven't seen any significant reports from a large number of 110 users with this symptom.  It's more likely due to a home network issue.  I suggest you start a new discussion specific to your issue.