Hacking a Yealink device autoprovisioned for BT Voice

The Background

TL;DR straight to the ridiculously easy hack

Recently we upgraded our phone system, BT supplied us with some shiny Yealink T48G phones.
These support 16 SIP accounts and I wanted to add my own personal account as I was going to be using my phone for working from home and it made sense to use just one phone and to get rid of my Obi device.

The first thing I did when getting the phone was to go to the webpage and try logging in, I tried the normal admin username password combination but it didn’t work, a quick search told me that once the phones had been ‘auto-provisioned’ for BT, the ‘user’ username and password was user/password. This allowed me to log in, but ideally I wanted the admin password, even without that though I was able to gather enough detail to perform a factory reset on the phone and manually configure the BT Voice settings.. However somethings didn’t work quite as before, for example the Busy Light List didn’t display and I didn’t know what URI I should set.

So i set the network port to span mode and fired up Wireshark and started a phone up, I thought as they contacted BT for configuration, maybe they would transmit the admin password in cleartext or at the very least a config file.. no such luck, but I did get the auto-provision url, this meant that I could now reset a phone to factory settings and I would be able to set it to automatically configure itself again.. (I suppose I could have asked BT for this information but oh well). Thinking by doing this there was more chance the admin password or config file would be transmitted and I’d be able to listen, again no luck, the traffic was encrypted.

The next thing I did was to set the log level to 6 (Maximum) on the webpage and then and then exported the log after a boot, this gave me some details for example the Busy Light URI but I wanted more.. I tried to ‘provision’ the phone while changing the admin password..Nope, ‘provisioning’ while exporting the log file every few seconds.. Nope.. Running out of ideas I right clicked the phones webpage and selected ‘View source’ maybe I’d see something like a secret link to enable telnet.. Nope…

The Details

Viweing the source, I did however notice the following lines
setMenu(allItem);

if(identity == “admin”)
level = 2;
else if(identity == “var”)
level = 1;
else
level = 0;

This seemed very strange, like the webpage was just saying, what is your username? if it’s ‘admin’ I’ll give you access to everything.. so I started the Chrome console, [Shift] [CTRL] + ‘J’, clicked ‘Sources’ selected the ‘Serverlet’ and added a breakpoint at line 313, refreshing the page this then let me change ‘identity’ variable from ‘user’ to ‘admin’ and boom, full access, even allows me to change the settings.. I said it was a ridiculously easy..

The Conclusion

Having tried a few complicated ways to get details of the phone settings (nothing too bad), I was thinking of other ways to get in, maybe spoofing a certificate and performing a MitM attack, maybe downloading the firmware and looking for exploits or backdoors, even social engineering and phoning BT saying I was a new engineer and had forgotten the ‘Admin’ password šŸ™‚
I thought I’d try the obvious and view the source.. Anyway, long story short… my conclusion is that I should always try the easy ways first.. (And Yealink should be embarrassed how easy it is to get admin privileges on their phone)

Update (02.05.17)

The latest firmware appears to address this security issue, in as such that they’ve not made it so obvious, however the webpage still restricts items depending on what user/level you are, so youĀ can get it to display,change and save all items even if you are logged in as a normal user.

The following shows an example with the latest firmare that BT are currently usingĀ (28.80.179.2).

First if I log in with the stand user/password account I see the following when I go to settings.

not a lot to chooseĀ there, I then bring up the “Developer Tools” in Chrome and go to ‘Sources’ and then double click ‘Severlet’ and search for level

You can see above that they are still restricting things by what level you are, so I set a breakpoint on line 431 (Newer firmware works the same just the line numbers change). I then refresh the page and have to keep pressing ‘F8’ till I get to the settings I want. The first few breaks show in the local variable, a level and a node, so the following

means the Dial Plan page will be hidden, unless I change the 2 to a 0 and continue. anyway after pressing ‘f8’ a few more times I then get to the setting for the page I’m on.

This one says that the option to export the config is hidden, so I change the level from 2 to 0 and as I no longer want to change any other settings i remove the break point and press ‘F8’ again, this then give me the following webpage.

You can see both the Dial Plan and the option to export the config are now available to me.

A side note, Yealink have now made it so the Service Provider can link theĀ MAC address of your phone to their configuration, so if you upgrade your firmware or change some settings they don’t want you to, the next time the phone restarts it will downgrade the firmware to the version the service provider wants to use.Ā To get round this I just created a static route on my router forĀ 184.106.101.50 and set the gateway to 10.0.0.1 (Just a random local address I’m not using), this prevents the phone contacting the Yealink service.

 

20 comments

  1. Itā€™s strange you say this about mac addresses, Iā€™ve just brought a phone on ebay and Iā€™ve tftp restored it but it still manages to pull Locked configs from the service provider, not BT in this case. So Iā€™ll be adding the route to our dns for yealink. Itā€™s a bit sneaky to do forced provisioning with factory defaulted firmware. Shame on yealink

    1. How did you manage to restore it? Using Pumpkin TFTP? I bought a W60B base/phone from eBay which is provisioned to BT Voice and trying to figure out how to use it.

      Any help would be appreciated.

  2. This didn’t work for me on a newer W60B base station, because the standard “user” account no longer has “user” as the password, and I couldn’t guess it.

    However by setting up a TFTP server containing this file as y000000000077.cfg:

    #!version:1.0.0.1
    static.security.user_password = admin:admin

    And configuring my DHCP server to send option 66 with the IP address of the TFTP server, I was able to make the phone download this file and override the admin password to “admin”, and then log in.

    1. You could always disconnect your ADSL, default the phone, log in with the default username and password and turn off auto provision. If anyone knows how to flash the firmware on a w60b, let me know.

      1. Thanks Russ!

        Disconnected base from broadband, performed hard reset, logged in with defaults and disabled auto provisioning.

        All working so far.

        Thanks

      2. Thanks Russ!

        Your approach worked for BTā€™s Yealink W70B base unit and W73H handset.

        Some notes for any other people trying to ā€˜factoryā€™ reset their BT provided W70B.
        a) Get your base unitā€™s IP address from your Smart Hub.
        b) Check you can access the base unitā€™s Web GUI via itā€™s IP.
        c) Unplug the Smart Hub 2ā€™s WAN port.
        Disconnecting the base unitā€™s internet connectivity is required, as the base unit will attempt to auto provision / reconfigure to BTā€™s Cloud Voice Express service on power etc, even after a factory reset (without disabling auto provisioning first).
        d) Factory reset the base unit by following the steps in ā€˜RemiPBXā€™s video; Factory reset your Yealink https://youtu.be/ZdLpnn8g1Pc?t=111
        e) As per video, wait the 10 minutes, then power cycle the base unit, now use the default login & password (admin admin).
        f) From the web GUI, select Settings, Auto Provision.
        g) Deselect PNP Active, DHCP Active, Power On, Repeatedly and to be sure untick the days of the week.
        h) Press confirm to save.
        i) Re-attach your WAN port.

        You should now be able to use the base station with the VOIP provider of your choice.

        Additionally contrary to BTā€™s advice (from several BT departments) you do not ā€œneedā€ or ā€œhave toā€ plug your W70B into the provided Smart Hub 2. You should be able to plug your base unit into any other internet providerā€™s router / circuit without issue.

        Please note I immediately ā€˜upgradedā€™ both the base unit & handsetā€™s firmware to the latest from Yealinkā€™s site. However without the disabling autoprovsioning steps as per g)* above, the base will still re-configure to BTā€™s Cloud Service even with Yealinkā€™s firmware (so make sure you disable autoprovisioning ASAP).

        If anyone knows how to fully restore BTā€™s provided W70B to Yealinkā€™s actual factory default to avoid the power on auto BT provisioning (even with Yealinkā€™s firmware) Iā€™d be grateful.

        Thanks again Russ & cheers.

        S Noir.

      3. BT is biggest Yealink customer and they use ZeroTouch Auto Provisioning which means they dispatch “virgin” phones to own BT clients and once it is connected it goes to Yealink RPS and based on MAC divert phone to download BT config files. This means each time you do factory reser it will via Yealink doenload BT configs. Search on internet the Broadsoft Provisioning guide and all
        is explained there as BT Cloud Voice Express platform use Broadsoft as well.

    2. Do you by change know what the provisioning server details are?
      I’d like to be able to still access the admin interface, but once I use your guide to reset the admin password, I can not use it with BT Cloud Voice anymore.

  3. Unfortunately none of the suggestions work anymore because the user/password are not as shown.
    Anyone managed to find a way in?

  4. If you need to stop it re provisioning using BT’s RPS servers – Just email Yealink support via the ticket system with proof of ownership and they will do it for you.

    1. What worked for me to disconnect ADSL modem from router whilst W60B base was factory resetting. Could then access base using ‘admim’ / ‘admin’. Disabled Remote Provisioning then reconnect ADSL modem and all is good now. I can access base station via web interface. HOWEVER, if you factory reset it will overide settings and reprovision again. I contacted Yealink with my MAC and proof of purchase and they removed my MAC from their system so hopefully no more problems with loging in.

    1. Hi,

      This post is from a few years ago and I don’t have access to the phone anymore, but I if you look in the comments, I think Russ, Chris and S Noir give advise which may help. Good luck.

  5. I had the same problem a few years ago when I bought Yealink handsets and autoprovisioned with BT Centrex/Broadsoft etc. We had users that simply wanted to change background wallpapers, or for admin to import DSSkey and other settings, but in BTs retarded wisdom during auto provision the admin password is set to a random generated password. You essentially get locked out … I wasn’t standing for that so I worked out my own work around, unlocking every single setting they had removed and changing the admin password.

    This is how I do it, I autoprovision my phones are normal. Afterwards add option 66 on my dhcp server to point to my tftp server. and reboot the phone. If option 66 is set first, auto provision will fail.

    On my tftp server I have the following config y000000000035.cfg

    y000000000035.cfg – this is specific to a T48G there are loads of different names, to find out your needed name when your tftp server is running check the log and it shows what files the phone is looking for during boot, many cases simply have a config file with the mac address.cfg if enough

    In my y000000000035.cfg below is my config I wrote many years ago but still works fine (tested this morning)

    #!version:1.0.0.1
    ## the file header “#!version:1.0.0.1” can not be edited or deleted. ##

    #######################################################################################
    ## Change Admin Password ##
    #######################################################################################

    #security.user_name.admin = admin
    #security.var_enable = 1
    security.user_password = admin:admin

    #######################################################################################
    ## Enable Busy Lamp ##
    #######################################################################################

    features.blf_led_mode = 0

    #######################################################################################
    ## Auto Provision Setup ##
    #######################################################################################

    auto_provision.power_on = 0
    auto_provision.weekly.enable = 0

    #######################################################################################
    ## Local Directory Setup ##
    #######################################################################################

    local_contact.image.url =tftp:///photo.tar
    local_contact.data.url =tftp:///contact.xml

    #######################################################################################
    ## This is used to restrict menu access ##
    ## a Blank File will overwirte all BT ##
    ## Restrictions ##
    #######################################################################################

    web_item_level.url = tftp://10.10.95.57/WebItemslevel.cfg

    So in my example, I change the admin password to admin, ofc you can write anything, I set BLF to 0, because for some reason BT set this to 1 which doesn’t show the correct presence lights. I then upload some contacts with a picture next to each one (contained in photo.tar). I also disabled auto provision afterwards, just incase it tries to lock settings again.

    The final setting I have in a file called WebItemslevel.cfg and in that I have the following

    [Account]
    Account-Adv = 0

    What this does is lock every single settings that BT decided to lock or hide from the web interface for each phone.

    And that’s it, the phone will auto reboot after making these changes and everything will be unlock.

    Ofc you can set even more settings from the cfg, I also set things like line keys numbers and names, you can also set custom wallpapers and screen savers

    screensaver.upload_url = tftp:///JB_Wallpaper.png
    screensaver.wait_time = 600
    screensaver.type = 1
    wallpaper_upload.url = tftp:///JB_Wallpaper.png
    phone_setting.backgrounds = JB_Wallpaper.png

    lastly the tftp server I use is tftpd64

    A side note BT install a non standard firmware onto the phone, you can overwrite this with an official Yealink firmware, but then you can’t use autoprovision and after to manually set up the device. Which is easy but can be a ball ache, especially if you supplier has limited visibility of certain settings.

  6. Hi, does anyone know an updated way to access the web interface of W70B ? I need to access API to grab caller id information when new calls received, If anyone knows please ping me I would pay for the solution as well if need it, I need to find solution urgently šŸ™

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.