Title: Uniden UIP1868P (VoIP phone/gateway) default easy-to-guess password vulnerability Author: pagvac (Adrian Pastor) Date found: January 2006 Vendor contacted: Yes (no response received) Description: By default the web admin interface uses a password with a value equals to "admin" (without quotation marks). Also, there is *no* username required! *Only* password is required! This means that the security of the device ultimately relies on knowing one string of characters, rather than two (username/password). The interesting thing about this device is that it's a VoIP (SIP based) phone which can be configured as a client as well as a gateway/router. There is sensitive information which you can obtain from the admin interface such as the last 10 incoming/outgoing phonecalls and the IP address/port of the SIP server which the gateway connects to. Some useful features include voicemail service and the possibility to use the gateway from a wireless phone. It supports up to 10 wireless handsets so you can make your VoIP phonecalls from anywhere in your room. I haven't actually tested how feasible it would be for an attacker who could pick up your wifi signal (your neighbor for instance) to connect to the UIP1868P gateway and make phonecalls of the victim's expense. Let's consider the following scenario: - user owns a UIP1868P VoIP gateway - user uses cordless wifi phone which makes phonecalls through the UIP1868P - user's wifi LAN *isn't* protected with encryption (WEP or WPA for instance) Some questions to consider are: - assuming that an attacker can detect the radio waves, could he/she make phonecalls on the victim's expense using the same wifi cordless phone model? - could the attacker do the same thing by using a software client which would emulate the wifi cordless phone? The VoIP service for this device is provided by Packet8 (www.packet8.net), which requires users to have a registered account. The device itself is manufactured by Uniden (www.uniden.com). I considered the possibility of obtaining the victim's Uniden account details by saving the configuration file from the web interface of the UIP1868P gateway and then connect to the server (the IP address/port is provided by the web interface as I said before) using the "stolen" credentials. However, I didn't find any "save config file" feature available on the admin interface while performing my tests. Once admin access to this VoIP phone/gateway is obtained, the device becomes vulnerable to the same attacks as regular routers would after being compromised: - placing internal hosts (internal IP address can be obtained from DHCP table) on the DMZ, thus exposing them to the Internet - setting up port-forwarding to internal hosts - shutting down/resetting the device (DoS attack) Any of the first two attacks would make portscanning and exploitation against internal hosts possible. However, both of these attacks only apply in cases in which the UIP1868P is being used as a gateway (Internet router) References: http://www.ikwt.com/projects/Uniden.UIP1868P.txt http://www.google.com/search?q=UIP1868P&num=100 http://www.packet8.net/about/UIP1868PUIguide_final.pdf http://www.packet8.net/support/faqs/docs/Router_config_guide_final.pdf http://www.packet8.net/about/UIP1868P_user_manual052405.pdf http://www.uniden.com/pdf/UIP1868Pug.pdf http://www.smarthome.com/manuals/9624p_User_Interface_Guide.pdf