Sign up
 Vonage  

       
 
Vonage Forum Menu

Vonage Forums
Vonage VoIP Forum
MichaelMub Posted:
PORN...
In The Forum:
Hard Wiring - Installation
Topic:
The best pron
On Dec 05, 2016 at 22:20:50

Wickyvum Posted:
blocking viagra
viagra emails
viagra without a
doctor
prescription
ed treatments
...

In The Forum:
Hard Wiring - Installation
Topic:
Set-up tight-fisted generics no medicine
On Dec 05, 2016 at 17:40:46

tplink Posted:
Im trying to add
my HT802 vonage
adapter to my home
network. I
currently have
...

In The Forum:
Hard Wiring - Installation
Topic:
Vonage behind switch
On Dec 05, 2016 at 06:35:11

MichaelMub Posted:
PORN...
In The Forum:
Vonage
Topic:
The best pron
On Dec 04, 2016 at 10:22:56

Dwightkaw Posted:
kredyt bez
zaświadcze
24; kredyt bez
zaświadcze
24; o dochodach
...

In The Forum:
Vonage
Topic:
kredyt bez zaświadczeń
On Dec 03, 2016 at 03:27:10

Kevingrarl Posted:
Су
95;ас&
#1085;иl
1;
пі
76;пр&
#1080;&
...

In The Forum:
Vonage
Topic:
Сучас&
On Dec 02, 2016 at 12:51:38

IsaawUnace Posted:
does cialis work
as well as cialis
add.cgi buy
cialis cialis
the team <a
...

In The Forum:
Vonage
Topic:
Condition good pill instead of ed
On Dec 01, 2016 at 11:11:59

MatrickVop Posted:
buy cialis today
columbus oh
generic cialis
buy cialis online
registered users
...

In The Forum:
Vonage
Topic:
Classify miserly pills no means
On Nov 28, 2016 at 10:42:47

dracossumo Posted:
Ко
84;па&
#1085;иn
3; Tritel
пр
77;до
...

In The Forum:
Vonage
Topic:
&#1048;&#1085;&#1090;&#1077;&#1088;&
On Nov 27, 2016 at 23:00:39

DWSupport Posted:
After recent
Vonage update that
took place on the
4th and 5th of
Nov. E-mails with
...

In The Forum:
Vonage
Topic:
Voicemail Not Forwarding to Outlook Accounts
On Nov 10, 2016 at 12:23:26


Vonage VoIP Forums

Vonage In The News
Vonage Holdings Corp. Reports Fourth Quarter and Full Year 2013 Results

Carolyn Katz Elected to Board of Directors of Vonage Holdings Corp.

Syndication

Vonage Customer Reviews
Vonage vs. Time Warner Cable SoCal
Vonage vs. Time Warner Cable SoCal



Vonage UK Review
Vonage UK Review



Vonage Pros and Cons for 2006
Vonage Pros and Cons for 2006



Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review
Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review



Salt Lake City: impressions after several months
Salt Lake City: impressions after several months




Vonage Reviews


Post new topic   This topic is locked: you cannot edit posts or make replies.  Vonage® VoIP Forum - Vonage News, Reviews And Discussion » Vonage Forum Archive
Author Message
jklarfeld
New Forum Member
New Forum Member


Joined: May 21, 2006
Posts: 3

PostPosted: Tue Aug 08, 2006 6:18 am    Post subject: Security Problems with RTP300 and WRTP54G routers Reply with quote Back to top

Has anyone contacted Voange about the security problems the Cisco/Linksys routers have, as reported in CNN?

My first contact with Vonage was negative. They do not seem to show any knowledge of the problem. Vonage provided us with the RTP300.

I'll keep pushing on them.

Has anyone heard of Vonage fixing the security problems with the routers they sold us?

CNN article:

Routers faulted

Another security professional showed how people can have their phone numbers hijacked when using certain types of equipment that route calls over the Internet.

The research, from Arias Hung, a security professional with Media Access Guard in Seattle, showed how to control the inner workings of Internet phone routers made by Linksys, which is owned by Cisco Systems Inc.

Once the routers are accessed, a person can change the device's so-called media access control address, which acts as a serial number that Internet phone providers such as Vonage Holdings Corp. use to verify the identity of customers.

A person exploiting the flaw could intercept calls made to a legitimate Vonage user and make calls that would appear to come from the user's phone number.

"The service providers should be very concerned," Hung said. "The general consumer should stay away from this router," he said, referring to two models that Linksys designates the WRTP54G and the RTP300.

Cisco spokeswoman Molly Ford said she could not immediately comment on Hung's research.
View user's profile Send private message
NateHoy
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Nov 01, 2005
Posts: 2257
Location: New England

PostPosted: Tue Aug 08, 2006 7:03 am    Post subject: Reply with quote Back to top

Interesting.

The article is very sketchy, as are all the other articles on the issue, but it appears that they are saying that the device can be cracked when in your possession and the MAC address changed. This is true of all routers. The MAC address is stored in NVRAM, with a factory default, and if you managed to load aftermarket firmware into a WRTP54G or RTP300, you could very likely change its MAC address.

If this concerns you, you should also be aware that many cell phones can be "cloned" in a similar fashion.

Of course, in addition to the MAC address, Vonage also uses a username and password which is not provided to the end user. So, in addition to cracking the device and spoofing a MAC address, the thief would need that username and password.

The thief could get this, but only by monitoring your Internet connection and capturing packets (or by gaining access to your router, which could be physical access or remote, if you are foolish enough to enable remote administration and use a simple username/password combination, which is NOT the factory default setting).

If said thief is watching your network, they already have all of your email and any unencrypted passwords you put on web sites. Making unauthorized calls on your Vonage line might be the least of your worries then.

Then, of course, there's the fact that they'd need some form of physical access to monitor your network, or a really poorly configured router that allows detailed logging to be sent remotely (which the Linksys/Vonage routers are not even capable of).

Again, I'd love to see more details on this research, and a description of how it is done. I know how to extract the MAC address and username/password of the RTP300/WRTP54G if I had physical access to one, and I know how to alter it if I wanted to, but gaining remote access to one so I can clone it? Not in the default factory setting, and not using any method I've ever heard of even if the user opens the device up to me remotely. Admittedly I'm not the sharpest knife in the drawer, but the news media also love to make a splash with a partially-informed article here and there blown out of proportion Wink

_________________
Comcast Cable (3m down / 256k up) -> Linksys BEFCMU10 v2 (DOCSIS 1.0) -> WRT54G v4 ("Tomato" firmware) -> the rest of my network including a WRTP54G (Firmware: 5.01.04)
My Vonage Self-Help Guides: http://vonage.nmhoy.net
View user's profile Send private message
scerruti
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Feb 05, 2005
Posts: 1424
Location: Carlsbad, CA (finally)

PostPosted: Tue Aug 08, 2006 12:58 pm    Post subject: Reply with quote Back to top

In the thread we started Sunday on this topic I address some additional specific limitations of this attack and post a link to the abstract of the presentation made by Arias Hung at DefCon.

I was not aware of the username/password settings in the routers described by NateHoy and to some extent question their existence. If there is a password in there, where did it come from? If it came from Vonage in the first place, then wouldn't impersonating another router and forcing a download of the configuration would result in obtaining that username and password.

So, I don't believe, at this time, your network would necessarily need to be monitored to have your phone number hijacked.

_________________
Stephen P. Cerruti (ISP: TWC)
View user's profile Send private message Visit poster's website Yahoo Messenger
NateHoy
Vonage Forum MVM
Vonage Forum <b>MVM</b>


Joined: Nov 01, 2005
Posts: 2257
Location: New England

PostPosted: Tue Aug 08, 2006 2:05 pm    Post subject: Reply with quote Back to top

I look forward to hearing more about the presentation. Since both the abstract and the (possibly sensationalized) CNN report are sketchy at best, and lacking in any detail, I can't fully analyze the threat. Plus the fact that, though I've read instructions on cracking the WRTP54G and RTP300 and I know it's not terribly hard to do, it's not something I'm ready to do with my factory device (I depend on my line, so losing it through a TOS violation is not a risk I want to take at this time). (grin)

However, a few points:

1. The MAC address that Vonage gets is not the same MAC address that is reported to, say, your ISP. MAC address spoofing is available on the GUI interface, but of course Vonage is not "fooled" by it. The MAC address also survives a factory reset, meaning it is stored "deeper" than NVRAM, which would be wiped on a factory reset.

2. While 1.00.60 is available as open source, it does not include a lot of the code, including the Vonage communication code, the wireless drivers, and a few others. Those chunks are provided as binaries that get compiled into the In order to load aftermarket firmware onto these devices, you have to make note of your Vonage SIP username and password, which are stored on the device. The reason for this (as explained on the hacker sites) is that you need to prevent the router from talking to Vonage to get new config files or firmware.

Now, given #1 and #2, it is possible that Vonage's code to load the config file is capable of reading the real MAC address off the ethernet board, and not the one in NVRAM, and since that communications code is not open-sourced, spoofing that seems like a non-trivial task.

Even if, as is likely, the username and password are downloaded from Vonage in the form of the config update, I'd have to see a lot more detail from this presentation to say this is a threat.

Perhaps that's exactly what Arias Hung has done, and if so I agree it's a threat. The cell companies have many of the same issues. Vonage will have a tough row to hoe if this is a real threat, since they can't fix it in firmware without changing the way their servers talk to the RTP300/WRTP54G devices at the same time, since leaving the communications compatible with the current firmware means the vulnerability is still there.

Another oddity, of course, is that the customer is going to notice the theft fairly soon. Vonage is pretty good about only talking to a particular account via one device/IP address, as we've seen from several people who have successfully set up 2 or more devices on a single account. If one Vonage device at one IP address is logged in to the account, the second one will drop. Now, of course, given the quality of the RTP300/WRTP54G devices, maybe someone would half expect their LINE1 light to be out a lot, and would expect to be unable to dial out frequently, but I doubt it. Wink

_________________
Comcast Cable (3m down / 256k up) -> Linksys BEFCMU10 v2 (DOCSIS 1.0) -> WRT54G v4 ("Tomato" firmware) -> the rest of my network including a WRTP54G (Firmware: 5.01.04)
My Vonage Self-Help Guides: http://vonage.nmhoy.net
View user's profile Send private message
dconnor
Site Admin
Site Admin


Joined: Mar 05, 2003
Posts: 2263
Location: The Beach

PostPosted: Tue Aug 08, 2006 2:09 pm    Post subject: Reply with quote Back to top

This topic is being discussed HERE

_________________
Have Questions? Need to speak to Vonage before signing up?
Call: 1-888-692-8074
Both Business and Residential customers can call and speak to a Vonage Sales Rep 24 hours a day.
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


All times are GMT - 5 Hours

Vonage Service Plans


Vonage VoIP Members
Members List Members
New anthonybc3
New Today 2
Yesterday 7
Total 99018

Who Is On Site
Visitors 91
Members 0
Total 91


Vonage VoIP Forum Members:
Login Here
Not a Member? You can Register Here
As a registered member you will have access to the VoIP Speed Test, Vonage Service Announcements and post comments in the
Vonage VoIP Forums

Vonage Stock Price
Value: 6.90
Change:   N/A
Up to 15 Minute Delay

Site Search
 






†AK and HI residents pay $29.95 shipping. ††Limited time offer. Valid for residents of the United States (&DC), 18 years or older, who open new accounts. Offer good while supplies last and only on new account activations. One kit per account/household. Offer cannot be combined with any other discounts, promotions or plans and is not applicable to past purchases. Good while supplies last. Allow up to 2 weeks for shipping. Other restrictions may apply.

1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.

2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.

HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments, all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.

** Certain call types excluded.

www.vonage-forum.com is not an official Vonage support website & is independently operated.
All logos and trademarks are property of their respective owners. All comments are property of their posters.
All other www.vonage-forum.com content is © Copyright 2002 - 2013 by 4Sight Media LLC.

Thinking of signing up for Vonage but have questions?
Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074
No Vonage Promotion Code or Coupon Codes are required at www.vonage.com to receive any special,
best Vonage cheap deals, free sign up offers or discounts.

[ | | | | | ]

Vonage Forum Site Maps

Vonage | VoIP Forum | How VoIP Works | Wiring and Installation Page Two | International Rate Plans 2 | Internet Phone
Promotion | Vonage Review | VoIP | Broadband Phone | Free Month | Rebate | Vonnage | Vontage | VoIP | Phone Service
Phone | llamadas ilimitadas a Mexico | Latest News | VoIP Acronyms | Deal | Philippines Globe Phone | Site Maps

The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal.
If you are considering signing up for Vonage and have found our Vonage News, Customer Reviews, Forums
& all other parts of this site useful, please use our Vonage Sign up page.


Vonage VoIP Phone Service is redefining communications by offering consumers
& small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.71 Seconds and 236 Pages In The Last 60 Seconds
The Vonage VoIP Forum