Title: Uniden UIP1868P (VoIP phone/gateway) default easy-to-guess
password vulnerability

Author: pagvac (Adrian Pastor)

Date found: January 2006

Vendor contacted: Yes (no response received)

Description:

By default the web admin interface uses a password with a value equals
to "admin" (without quotation marks). Also, there is *no* username
required! *Only* password is required! This means that the security of
the device ultimately relies on knowing one string of characters,
rather than two (username/password).

The interesting thing about this device is that it's a VoIP (SIP
based) phone which can be configured as a client as well as a
gateway/router. There is sensitive information which you can obtain
from the admin interface such as the last 10 incoming/outgoing
phonecalls and the IP address/port of the SIP server which the gateway
connects to.

Some useful features include voicemail service and the possibility to
use the gateway from a wireless phone. It supports up to 10 wireless
handsets so you can make your VoIP phonecalls from anywhere in your
room. I haven't actually tested how feasible it would be for an
attacker who could pick up your wifi signal (your neighbor for
instance) to connect to the UIP1868P gateway and make phonecalls of
the victim's expense.

Let's consider the following scenario:

- user owns a UIP1868P VoIP gateway
- user uses cordless wifi phone which makes phonecalls through the UIP1868P
- user's wifi LAN *isn't* protected with encryption (WEP or WPA for instance)

Some questions to consider are:

- assuming that an attacker can detect the radio waves, could he/she
make phonecalls on the victim's expense using the same wifi cordless
phone model?
- could the attacker do the same thing by using a software client
which would emulate the wifi cordless phone?


The VoIP service for this device is provided by Packet8
(www.packet8.net), which requires users to have a registered account.

The device itself is manufactured by Uniden (www.uniden.com).

I considered the possibility of obtaining the victim's Uniden account
details by saving the configuration file from the web interface of the
UIP1868P gateway and then connect to the server  (the IP address/port
is provided by the web interface as I said before) using the "stolen"
credentials. However, I didn't find any "save config file" feature
available on the admin interface while performing my tests.

Once admin access to this VoIP phone/gateway is obtained, the device
becomes vulnerable to the same attacks as regular routers would after
being compromised:

- placing internal hosts (internal IP address can be obtained from
DHCP table) on the DMZ, thus exposing them to the Internet
- setting up port-forwarding to internal hosts
- shutting down/resetting the device (DoS attack)

Any of the first two attacks would make portscanning and exploitation
against internal hosts possible. However, both of these attacks only
apply in cases in which the UIP1868P is being used as a gateway
(Internet router)


References:

http://www.ikwt.com/projects/Uniden.UIP1868P.txt
http://www.google.com/search?q=UIP1868P&num=100
http://www.packet8.net/about/UIP1868PUIguide_final.pdf
http://www.packet8.net/support/faqs/docs/Router_config_guide_final.pdf
http://www.packet8.net/about/UIP1868P_user_manual052405.pdf
http://www.uniden.com/pdf/UIP1868Pug.pdf
http://www.smarthome.com/manuals/9624p_User_Interface_Guide.pdf