Showing results for 
Search instead for 
Did you mean: 

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter


SPA8000's security, revisited

I was hesitant to bump an old thread, so here it is for reference:

How did that issue resolve, if at all? No firmware update has been released since that time, and I don't have access to CSCui25004 to read more about any possible update there.

One fundamental point about the hack was also unclear to me: is it only going to be a problem when the SPA8000 is connected directly to the Internet, or is it also possible when it's behind a router? If it's the latter, it's truly puzzling to me.

Everyone's tags (1)

Once former Linksys division

Once former Linksys division has been dropped no one with deep-in knowledge about this class of product respond here like Patrick Born did. So I will be surprised if an insider will respond you here.

Based on my experience (our installations are focused on customer's security), neither SPA IP Phones nor ATA Gateways are suitable to be exposed to public Internet. It's not only because of issue you mentioned - there has been other issues in the past including undocumented management interface - turned on with no name/password required by default.

There are no countermeasures against DoS or brutal-force password guessing implemented in devices as well.

In short, those devices are "in-door units" and needs to be placed in secured network only. No untrusted source should be allowed to send even one packet to it. Even one packet may harm. Such packet may arrive not even from outside, but from infected local PC as well. Even short call to exotic destination may be expensive.

You should have dedicated *private* VLAN covering voice infrastructure devices only. No other devices should be allowed on such VLAN.

Appropriate countermeasures should be taken on local PBX, if any, as well as on border router.

Just my $0.02




Thanks, Dan, that's some good

Thanks, Dan, that's some good advice (and I think there's some in the original thread, too, though perhaps not much of it was effective). Also, I wasn't even aware that Linksys had been passed off to Belkin.

If you or someone does have access to that CDETS report, it would still be interesting to know what happened back then.