Security hole in D-Link IP phones? No, this is a “Feature”!

    The intuition of system administrators often suggests: "Stay away from D-Link equipment." If you don’t have to speak separately about the build quality of these devices and the reliability of their work: most admins who are somehow familiar with the products of this vendor do not expect miracles here, then such an item as “Security” is no longer amenable to sensory organs.

    image

    However, here the D-Link company managed to “please” us by implementing a “ security feature ” and confirming it with documents ...

    If your company uses IP-telephony and has D-Link equipment, then this material is highly recommended for reading.

    At the official D-Link equipment support forum, the topic was raised about the security of D-Link VoIP equipment :
    “Good afternoon!

    We operate more than a hundred phones of this model.
    Recently, the following features of this device have been discovered:
    1. by going to the phone’s web interface under the default guest account with the guest password (access level is common), you can change the phone’s configuration: IP settings, SIP and others. You can even look at the configuration file with passwords.
    2. when you delete this guest account, it reappears after rebooting the phone. Appears with the password guest even if it was changed before deletion.

    Firmware version on this device: GE_1.00
    Tell me , is this a bug or a feature of these phones? ”

    To which D-Link employee Alexei Motkov gives an official answer:

    “ Feature ”

    You got it, huh? Is it worth spending the letters to describe the enchanting delirium of such a situation ?? Needless to say, one of the most vulnerable elements of IP-telephony, which is often located in uncontrolled admin networks, has just a giant hole, which D-Link employees also call a “Feature”?

    To enable hackers to log into the phone, download the configuration and enter the station the first time, after which they “call” hundreds of thousands of rubles - this is what D-Link calls a feature.

    Surely, the topic will be cut by administrators in the near future, as D-Link’s reputation will fall with every view of this topic. Therefore, we attach notarized screenshots to this article: click once , click two .

    UPD: A lot of interesting (link was given by Alexey Motkov himself)

    Also popular now: