Security Issues for Owners of BT’s Cloud Voice Yealink Handsets | #macos | #macsecurity | #cybersecurity | #infosecurity | #hacker

Businesses that decide to sell their unwanted BT Cloud Voice handsets on eBay need to take extra care because some models, such as the Yealink W60P phones, may retain the prior customer’s account credentials. As a result, those who purchase them could find that they’re able to make calls on another person’s account.

The situation came to light after one of ISPreview.co.uk’s readers, Chris, purchased two second hand BT Cloud Voice handsets – via two different sellers – off the popular internet auction site (i.e. small businesses are sometimes given handsets that they don’t end up using, which eventually make their way to places such as eBay). The mistake here is to assume that such handsets are just like regular phones.

NOTE: A lot of different handsets have been sold alongside BT Cloud Voice, and we haven’t been able to confirm if they all work in the same crucial way (likely). So it’s wise to check before parting with them.

Unlike regular dumb phone handsets, those on BT’s Cloud Voice platform are designed to “work out-of-the-box.” In the case of the two Yealink W60P DECT IP phones, they come pre-registered to Yealink’s cloud-based management services, which is something that some owners clearly haven’t realised.

According to Chris, “BT have set these phones up to autoconfigure using Yealink’s cloud-based management services, this means even if factory reset and flashed with new firmware, they call home to Yealink with their MAC address, where they retrieve their configuration settings, reboot and then are automatically logged into someone’s BT Voice account. The phone is then able to make and receive calls with someone else’s telephone number.”

A quick look at BT’s website, FAQs and T&Cs suggests that this behaviour isn’t being made clear to people. Indeed, there are no stickers on the box or anything in the T&Cs that would forbid reselling the hardware, or with clear warnings that the device is locked to the customer’s account and number. Suffice to say, it would be all too easy for customers to think they can simply be sold off, when in fact doing so may expose your account.

A Spokesperson for BT told ISPreview.co.uk:

“We use industry standards in order for Cloud Voice to work out-of-the-box and deliver the best customer experience possible. In the case that a supplied device is no longer used for the service that it was intended for, the customer must remove the device from the BT service via the self-serve Digital Portal or inform their BT service team.

Our terms and conditions do state that the customer is responsible for the proper use of purchased equipment and they must take the necessary steps to ensure their devices and account details are kept confidential, secure and not made available to unauthorised persons.

We do recognise however that the steps to disassociate a device from the service could be better set out in our customer communications, and we will look to explore this internally and make improvements where necessary.”

On the one hand it’s easy to understand why BT would be seeking to make such systems as easy as possible to setup and use out of the box. But at the same time we’re surprised that some basic customer checks aren’t first being performed in order to prevent use by unauthorised individuals (e.g. requesting details that only the original owner would know).

With a bit of network knowledge and packet capture, it is possible to reuse these devices. By blocking the IP addresses used to dial into Yealink’s servers followed by factory reset (possible by powering up using the single button on the base station to reset it, the only option as the UI password is changed by BT), it will reboot, fail to reach Yealink and so just behaves like any Yealink bought from a shop. So, these devices aren’t locked to BT, they work independently, just that they always want to fetch the configuration settings from BT and override anything else set,” added Chris.

BT’s Cloud Voice service is not the only such VoIP style platform to work in this way, and they’ll only become more common as IP-based phone services start to increasingly replace traditional handsets over the next few years. Suffice to say, don’t just assume that a factory reset is all you need to do, sometimes extra steps may be required to fully disassociate your account from the device before selling it (assuming resale of kit is allowed by your broadband ISP).

NOTE: We weren’t able to test BT’s consumer focused ‘Digital Voice’ service to see if the same issue applies.

Original Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.