[NEWS] Uniden UIP1868P (VoIP Phone/Gateway) Default Password

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Uniden UIP1868P (VoIP Phone/Gateway) Default Password
------------------------------------------------------------------------


SUMMARY

" <http://www.packet8.net/about/uniden.asp> The Uniden Whole House VoIP
Phone System (UIP1868P) makes setting up and using Packet8 Internet Phone
Service a snap just plug the Ethernet cable from your broadband modem
into the Uniden 1868 base station, configure the built-in router and you
re ready to go."

A default password for Uniden UIP1868P administration settings allows
attacks to gain full control over the VoIP system.

DETAILS

The Uniden VoIP (SIP based) phone which can be configured as a client as
well as a gateway/router. There is sensitive information which you can
obtain from the administrator interface such as the last 10
incoming/outgoing phone-calls and the IP address/port of the SIP server
which the gateway connects to.

By default the web admin interface uses a password with a value equals to
"admin" (without quotation marks). Also, there is no username required,
only password is required.
This means that the security of the device ultimately relies on knowing
one string of characters, rather than two (username/password).

Some useful features include voice-mail service and the possibility to use
the gateway from a wireless phone. It supports up to 10 wireless handsets
so you can make your VoIP phone-calls from anywhere in your room.
attackers may pick up wifi signal to connect to the UIP1868P gateway and
make phone-calls of the victim's expense.

Once admin access to this VoIP phone/gateway is obtained, the device
becomes vulnerable to the same attacks as regular routers would after
being compromised:

- placing internal hosts (internal IP address can be obtained from DHCP
table) on the DMZ, thus exposing them to the Internet
- setting up port-forwarding to internal hosts
- shutting down/resetting the device (DoS attack)

Any of the first two attacks would make port-scanning and exploitation
against internal hosts possible. However, both of these attacks only apply
in cases in which the UIP1868P is being used as a gateway
(Internet router).


ADDITIONAL INFORMATION

The information has been provided by <mailto:unknown.pentester@xxxxxxxxx>
pagvac.
The original article can be found at:
<http://www.ikwt.com/projects/Uniden.UIP1868P.txt>
http://www.ikwt.com/projects/Uniden.UIP1868P.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages