Unable to change admin password on OBi110

[aselvan]

I got my OBi110 yesterday and the first thing I tried to do is change the admin password via the interface but I am unable to do so.

Once I change/apply under "System Management/Device Admin", it asks for the new password to login again (which works) and after I reboot, the password reverts back to "admin". The version/build of firmware is below.

HardwareVersion   3.4   
SoftwareVersion   1.3.0 (Build: 2872)

[aselvan]

Also other changes, for example CallerIDName parameter on Calling Features of SIP1 service, keeps reverting to blank among other check box entries like MWIEnable, X_VMWIEnable etc.

Anyone else notice this behavior and is there a workaround or firmware update?

[Shale]

I got my OBi110 yesterday and the first thing I tried to do is change the admin password via the interface but I am unable to do so.

Which interface?

See http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

[aselvan]

I got my OBi110 yesterday and the first thing I tried to do is change the admin password via the interface but I am unable to do so.

Which interface?

See http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

It was the device web interface--I did not realize a same interface (under expert menu) is available in obitalk.com which the device syncs with and overwrites. I moved all my changes to obitalk.com interface and its staying persistent now.

Thanks for the response.

[Shale]

Glad it worked out.

I am a bit shocked that the OBiTalk interface could get into the OBi without knowing the password.

[SteveInWA]

Glad it worked out.

I am a bit shocked that the OBiTalk interface could get into the OBi without knowing the password.

I assume that the device had first been added to the OBiTALK account with a default user ID and password, so this gave it access to the device, regardless of any subsequent changes to the device on the local side -- as soon as the device reboots, it syncs with the portal, which wipes out anything locally-configured, including the password.  One might argue that this is a vulnerability, but the assumption is that the user had to have physical access to the device to add it to the portal (go through the **5 device discovery routine), so they're authorized to access the device via the portal.

[aselvan]

Glad it worked out.

I am a bit shocked that the OBiTalk interface could get into the OBi without knowing the password.

I assume that the device had first been added to the OBiTALK account with a default user ID and password, so this gave it access to the device, regardless of any subsequent changes to the device on the local side -- as soon as the device reboots, it syncs with the portal, which wipes out anything locally-configured, including the password.  One might argue that this is a vulnerability, but the assumption is that the user had to have physical access to the device to add it to the portal (go through the **5 device discovery routine), so they're authorized to access the device via the portal.

Yes, the device was added to the OBITalk account and OBITalk, using the default admin/admin credentials resetting everything on the device! I was shocked too. In my opinion, the sync should be the other way around (i.e physical device to website) or not sync at all...and most importantly, it should never sync admin credential on the physical device to a website. Though I changed the admin password on the OBITalk interface for the device, I just don't like the idea of a website having access to a physical device inside my network. I bet most users did not bother to change admin/admin password on this device!