Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
2
Replies

SPA8000's security, revisited

bjf2000_cisco
Level 1
Level 1

‎07-23-2015 12:03 PM - edited ‎03-21-2019 10:27 AM

I was hesitant to bump an old thread, so here it is for reference:

https://supportforums.cisco.com/discussion/11735651/help-spa8000s-getting-hacked

How did that issue resolve, if at all? No firmware update has been released since that time, and I don't have access to CSCui25004 to read more about any possible update there.

One fundamental point about the hack was also unclear to me: is it only going to be a problem when the SPA8000 is connected directly to the Internet, or is it also possible when it's behind a router? If it's the latter, it's truly puzzling to me.

0 Helpful
2 Replies 2

Dan Lukes
VIP Alumni
VIP Alumni

‎07-23-2015 02:12 PM

Once former Linksys division has been dropped no one with deep-in knowledge about this class of product respond here like Patrick Born did. So I will be surprised if an insider will respond you here.

Based on my experience (our installations are focused on customer's security), neither SPA IP Phones nor ATA Gateways are suitable to be exposed to public Internet. It's not only because of issue you mentioned - there has been other issues in the past including undocumented management interface - turned on with no name/password required by default.

There are no countermeasures against DoS or brutal-force password guessing implemented in devices as well.

In short, those devices are "in-door units" and needs to be placed in secured network only. No untrusted source should be allowed to send even one packet to it. Even one packet may harm. Such packet may arrive not even from outside, but from infected local PC as well. Even short call to exotic destination may be expensive.

You should have dedicated *private* VLAN covering voice infrastructure devices only. No other devices should be allowed on such VLAN.

Appropriate countermeasures should be taken on local PBX, if any, as well as on border router.

Just my $0.02

 

 

0 Helpful

bjf2000_cisco
Level 1
Level 1
In response to Dan Lukes

‎07-23-2015 11:07 PM

Thanks, Dan, that's some good advice (and I think there's some in the original thread, too, though perhaps not much of it was effective). Also, I wasn't even aware that Linksys had been passed off to Belkin.

If you or someone does have access to that CDETS report, it would still be interesting to know what happened back then.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents