Sign up
 Vonage  

       
 
Vonage Forum Menu

Vonage Forums
Vonage VoIP Forum
Bruafekkay Posted:
agreed drab
individual, large
if the hamlet is
not provided with
the requisite
...

In The Forum:
Vonage V-Phone & SoftPhone
Topic:
mauersteine 50x50 unsparing
On Dec 07, 2016 at 20:07:45

tplink Posted:
Im trying to add
my HT802 vonage
adapter to my home
network. I
currently have
...

In The Forum:
Hard Wiring - Installation
Topic:
Vonage behind switch
On Dec 05, 2016 at 06:35:11

DWSupport Posted:
After recent
Vonage update that
took place on the
4th and 5th of
Nov. E-mails with
...

In The Forum:
Vonage
Topic:
Voicemail Not Forwarding to Outlook Accounts
On Nov 10, 2016 at 12:23:26

peterlee Posted:
Had a call from a
Hospital in Ajax,
Ontario to my home
in
Scarborough, Onta
rio
...

In The Forum:
Vonage Canada
Topic:
Hospital Incoming call unable to connect
On Nov 08, 2016 at 11:59:50

TELLDOUG Posted:
I am looking for a
product that will
make my phone ring
louder so I can
hear using
...

In The Forum:
Vonage
Topic:
Looking for a ringer ameliorate
On Oct 26, 2016 at 09:21:30

HildBeft Posted:
You can recollect
password by
connecting the
router to your pc
and open the
browser
...

In The Forum:
Hard Wiring - Installation
Topic:
How to arrive at wifi password?
On Oct 20, 2016 at 05:05:49

HildBeft Posted:
Great tips..
Thanks for sharing
...

In The Forum:
Hard Wiring - Installation
Topic:
How to have Vonage and another land line?
On Oct 20, 2016 at 04:55:03

massrman Posted:
The devices are
available at
different price
margins , please
share your
estimated
...

In The Forum:
Vonage
Topic:
IP PBX for small business
On Sep 30, 2016 at 00:48:03

massrman Posted:
Hi these are most
commonly used SIP
PBX interops and
their
configuration
guides,
...

In The Forum:
Vonage
Topic:
IP PBX for small business
On Sep 30, 2016 at 00:37:45

Sammy00 Posted:
Has anyone setup a
W52p phone for
vonage? I have
a W52p with two
wireless handsets,
...

In The Forum:
Hard Wiring - Installation
Topic:
W52p Setup
On Aug 30, 2016 at 10:38:01


Vonage VoIP Forums

Vonage In The News
Vonage Holdings Corp. Reports Fourth Quarter and Full Year 2013 Results

Carolyn Katz Elected to Board of Directors of Vonage Holdings Corp.

Syndication

Vonage Customer Reviews
Vonage vs. Time Warner Cable SoCal
Vonage vs. Time Warner Cable SoCal



Vonage UK Review
Vonage UK Review



Vonage Pros and Cons for 2006
Vonage Pros and Cons for 2006



Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review
Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review



Salt Lake City: impressions after several months
Salt Lake City: impressions after several months




Vonage Reviews


Post new topic   Reply to topic  Vonage® VoIP Forum - Vonage News, Reviews And Discussion » Vonage V-Phone & SoftPhone
Author Message
ehansen
New Forum Member
New Forum Member


Joined: Dec 27, 2004
Posts: 8
Location: Chicago Illinois

PostPosted: Thu Mar 17, 2005 10:25 pm    Post subject: Reply with quote Back to top

It is kind of like a gumball machine. You can knock the whole thing down and break the glass and get all the gumballs out. That kind of defeats the purpose.

Or you can realize that 5 cents for a nice sized great tasting gumball will always be there every time you pass that machine.

I think the best thing to do is to get the gumball machine priced right and everyone benefits.

No.....

Eric
View user's profile Send private message Send e-mail Visit poster's website
peterwemm
Full Forum Member
Full Forum Member


Joined: Apr 15, 2004
Posts: 42
Location: Danville, CA, US

PostPosted: Fri Mar 18, 2005 12:34 am    Post subject: Reply with quote Back to top

paul248: Those MD5 hashes are the key. The problem is that they are some sort of challenge/response system and we don't know the secrets.

As an example of how this sort of thing typically works, something like this would happen.

Server: Generates a token (random chunk of data, serial number, something)

Client: connects to server, and the server tells the client what the challenge (token) is. WIth things like apop, the challenge is the msgid-like string at login. With ppp-chap it is explicitly passed through. I dont know enough about the sip handshake to say what happens here.

Client: takes token from server, and the secret ("password") which is stored internally in the device. client then hashes the combination of token and client secret. Passes the md5 string to the server.

Server: does the same hash operation on the token and what it expects the client to have as the secret. It then compares the two hash values. If they are the same, then the client has proved its identity.

And that is the hard part. The hash is (essentially) irreversible. We will not know what the challenge token will be in advance, it is different each time the client connects. We don't know the secret (password) stored on the client.

We can see the hash each time, but that doesn't help us at all for figuring out the secret password. And we can't reuse the MD5 hash each time, because the server is (or had better be!) using a new challenge token each time.

Of course, the hash can be brute forced and you can try permutations of all possible secrets, but that takes a lot of horsepower. It might be easier to physically attack the device and download the eeprom contents.

If you want to know how hard the secret will be to crack, you might look at existing softphone account passwords. They probably are generated with the same algorithm so you can see how long they might be, what character sets are used, etc.

The interesting weakness in this simple system is that it is completely vulnerable to a man-in-the-middle attack. You can proxy the tokens and responses and neither end will be aware of the computer in the middle.

Anyway, this is not particularly useful to know because you need to figure out how to get the ATA into handshaking mode in order to abuse it to calculate the responses for you. There are so many problems waiting there that it is probably going to be simpler to physically attack the device.

Of course, this is all well into Terms Of Service violation territory if you're a Vonage customer and you could find yourself in hot water.

Interesting thought.. If you are not a Vonage customer and go to a retail store and buy one of the locked retail kits, you haven't yet agreed to the terms of service that you are normally forced to agree to when you activate an account... There isn't even a shrink-wrap license notice on the outside of the box... And the TOS hardcopy inside the box says that "by activating the service, you agree ....." - so in theory if you're not a subscriber, you can do whatever you'd like with it.

It is just a matter of time before somebody pops open a box, extracts the keys and writes a decent sip client emulator that proxies the connections. Sooner or later, somebody will do it and all hell will break loose.

If I was Vonage, I'd be thinking about heading that off that scenario by removing the incentives. ie: providing what their customers want. The attitude of "This is what we provide and you WILL like it!" is part of the reason why people hate their local telcos and why Vonage gets a foot in the door. Finding the same attitudes at the "alternative" is a big let down. Price isn't everything.

_________________
Vonage customer since March 2004. Customer of just about every other Voip provider out there too.
Asterisk PBX software, using Vonage softphone. ATA VT1005, rarely used.
ISP: Comcast (8M down, 768K up) *and* Sonic.net ADSL (1.5M down, 384K up) for Voip
View user's profile Send private message
ehansen
New Forum Member
New Forum Member


Joined: Dec 27, 2004
Posts: 8
Location: Chicago Illinois

PostPosted: Fri Mar 18, 2005 7:09 am    Post subject: Reply with quote Back to top

Remember, I'm first in line.. Very Happy

Eric
View user's profile Send private message Send e-mail Visit poster's website
peterwemm
Full Forum Member
Full Forum Member


Joined: Apr 15, 2004
Posts: 42
Location: Danville, CA, US

PostPosted: Sat Mar 19, 2005 4:38 pm    Post subject: Reply with quote Back to top

Actually, I wonder how long this would take if there was a bounty? I have the means (SMD rework station, TSOP-40 eprom/flash reader/writer, etc), but am still bound by the ToS, so I can't participate. And besides, I don't have the time nor the inclination.

The folks that discovered the weakness in the Tivo security system went public for a $5000 bounty. I'm annoyed enough at the stupidity of the current situation that I'd be tempted to contribute $500 or $1000 to a bounty (run by somebody else) for some enterprising individual to extract the keys and passwords from the locked PAP2 flash. All they need is to go and buy a box from staples/compusa/etc and not activate it so that they are not bound by the ToS. (Recall that you only agree to the ToS restrictions by activating service!)

To what end? That information would go a long way towards what would be needed to write a SIP proxy that would look/feel like a PAP2 as far as Vonage was concerned. The keys would enable decrypting the configuration download so that you could have the PAP2 simulator connect to the Vonage service and then you could use your own IP phone or softphone or whatever to connect to the simulator. Vonage would likely never even notice unless you called up tech support. Remember that the only access that Vonage have to the box is via SIP, the box fetches its configuration from the net. There's no snmp or http or anything else to worry about.

The beauty of that is that it wouldn't cost Vonage a cent, and won't deprive them of any income. It would work exactly like a current ATA does except with better sound quality by eliminating the analog leg.

Vonage: remember that we dont want a bigger, badder telco! Your list of 'we could, but wont do that' is rivalling the incumbent telcos! Price doesn't make up for being so pig-headed, especially when there are cheaper alternatives that *do* have the flexibility!

_________________
Vonage customer since March 2004. Customer of just about every other Voip provider out there too.
Asterisk PBX software, using Vonage softphone. ATA VT1005, rarely used.
ISP: Comcast (8M down, 768K up) *and* Sonic.net ADSL (1.5M down, 384K up) for Voip
View user's profile Send private message
aust
New Forum Member
New Forum Member


Joined: Dec 01, 2004
Posts: 1

PostPosted: Fri Apr 22, 2005 6:53 pm    Post subject: Interesting... Reply with quote Back to top

Has anyone tried just using the hash that the MPA is sending Vonage as the password? O perhaps just using a hash of your Vonage password?
I can't help but think it'd be awfully easy to get Asterix to do what is needed...

A.
View user's profile Send private message AIM Address
peterwemm
Full Forum Member
Full Forum Member


Joined: Apr 15, 2004
Posts: 42
Location: Danville, CA, US

PostPosted: Fri Apr 22, 2005 8:37 pm    Post subject: It's not that simple unfortunately... Reply with quote Back to top

Part of the authentication handshake is that it gives you some magic number to include in the hash calculations. So the hash result only works with that specific challenge number. And you can bet that it'll be different each time.

Each side does a hash(random number + secret), and they exchange and compare the hashes. If one side has the wrong secret, it can't generate the right hash for the given random number.

So, you either need the secret, or do a man-in-the-middle attack.

-Peter

_________________
Vonage customer since March 2004. Customer of just about every other Voip provider out there too.
Asterisk PBX software, using Vonage softphone. ATA VT1005, rarely used.
ISP: Comcast (8M down, 768K up) *and* Sonic.net ADSL (1.5M down, 384K up) for Voip
View user's profile Send private message
borg
New Forum Member
New Forum Member


Joined: Apr 23, 2005
Posts: 1

PostPosted: Sat Apr 23, 2005 1:33 am    Post subject: mac authentication? Reply with quote Back to top

Do you think they check the MAC of the ATA box?
Primus are doing that with their little dlink gateway which uses mgcp.
so how about cloning the mac from the ata?
i am going to try it with both Vonage canada and primus. whichever works is the system i take with me to france. im not paying for a crippled softphone. part of the reason i want it is so that i can sit in a cafe and not have to pay outrageous mobile fees. someone try this, or keep in touch. it can be done, and i dont know if they can do anything about it.
View user's profile Send private message
peterwemm
Full Forum Member
Full Forum Member


Joined: Apr 15, 2004
Posts: 42
Location: Danville, CA, US

PostPosted: Sun Apr 24, 2005 1:46 pm    Post subject: MAC? Reply with quote Back to top

Well, they can't really check the MAC, because the MAC isn't visible over the TCP/IP network. The only network that can see your MAC is the local ethernet network as far as your gateway or the cable modem gateway.

So cloning the MAC achieves you nothing.

The MAC is only significant because the ATA devices use it to find their configuration file on their web server. Their MAC is part of the filename. So if you switch ATA devices, then it won't find a config file prepared for it, and it won't be able to authenticate because it won't know what the secret key is.

The bad news is that the config files with the SIP secret keys are encrypted themselves. The good news is that the key to decrypt the config files is stored in the ATA itself somewhere. If you can extract the keys from the hardware, then you can (eventually) decrypt the config files and find the SIP keys. Or the client certificate, whatever it is that they use.

BTW: does anybody know what instruction set the ESS (yes, the sound card folks) use on the CPU on the sipura/linksys boxes? It would appear it is a DSP chip with a general purpose integer cpu core glued in. But I haven't found any obvious hints as to what core it uses.. it could be a MIPS, an ARM7 or 9, or even a small PPC core. That would have to be known in order to even get to square 1 with understanding the firmware or trying to extract keys from the hardware. Its a huge job to say the least. (Actually, I've kinda lost interest in this part. I returned the PAP2 that I wanted to unlock and bought 4 unlocked PAP2-NA's instead. I'd still love to get the keys though.)

I'm still hopeful that a man-in-the-middle proxy attack might be possible. In other words, you create a SIP proxy that fakes the Vonage SIP servers and connect your ATA to it. You could relay all the real authentication requests to it and have it calculate the responses for you. You'd probably have to have a modem to cause the ATA to initiate sessions in order to make outbound calls. Once the sessions are established you can use the clear RTP packets directly. Those dont have to go anywhere near the ATA. A plain old M.I.T.M. attack would be dramatically less work, but would be just.. nasty.. and not elegant at all. But you probably could automate it for an Asterisk server at home and hide it out of the way somewhere.

_________________
Vonage customer since March 2004. Customer of just about every other Voip provider out there too.
Asterisk PBX software, using Vonage softphone. ATA VT1005, rarely used.
ISP: Comcast (8M down, 768K up) *and* Sonic.net ADSL (1.5M down, 384K up) for Voip
View user's profile Send private message
peterwemm
Full Forum Member
Full Forum Member


Joined: Apr 15, 2004
Posts: 42
Location: Danville, CA, US

PostPosted: Wed May 18, 2005 2:05 am    Post subject: VT1005 - there may be light... Reply with quote Back to top

I stumbled across some interesting information about the internals of the older Motorola ATA, the VT1000/1005. It seems there might be a possibility of adding a serial adapter to the blank spaces on the circuit board and use the integrated VXworks debugger to read the configuration information.

This may potentially include the sip authentication keys. Of course, there are a lot of ifs and buts. For example, its not clear if the configuration information is in a binary or readable ascii form.

I'll refrain from posting links, but I found it while searching for information about unlocking it. For example, I was curious if there was a backdoor like the ATA-186. So far, the information seems to suggest that it is easy to unlock the device, but it is totally useless because you need the motorola provisioning tools to actually configure the settings. Anyway, for the cost, its more useful to just go buy an unlocked PAP2-NA for $50-$70 on eBay or a SPA-1001 or SPA-2000 from one of the many other online retailers.

Anyway, I've found somebody who appears to be able to port my home number away from Vonage, so it might all be a moot point.

_________________
Vonage customer since March 2004. Customer of just about every other Voip provider out there too.
Asterisk PBX software, using Vonage softphone. ATA VT1005, rarely used.
ISP: Comcast (8M down, 768K up) *and* Sonic.net ADSL (1.5M down, 384K up) for Voip
View user's profile Send private message
gnexus
Vonage Forum Associate
Vonage Forum Associate


Joined: Jun 24, 2005
Posts: 20

PostPosted: Fri Jun 24, 2005 10:21 am    Post subject: :lol: Reply with quote Back to top

This thread is HILARIOUS Lol

Get a life and another provider, people.

Several other providers offer BYOD, softphone, are cheaper and provide better audio quality AND more LNP numbers.

The only real useful application to unlocking would be to refurb old Vonage routers for resale. Anything else would either be illegal or against the Terms and Condintions of the Vonage account, or both.

BTW, even if it did work Vonage blocks SIP peering on the main line. That makes most of the effort useless if you're concerned about LD or International calling.
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


All times are GMT - 5 Hours

Vonage Service Plans


Vonage VoIP Members
Members List Members
New Ravin
New Today 1
Yesterday 9
Total 99045

Who Is On Site
Visitors 142
Members 0
Total 142


Vonage VoIP Forum Members:
Login Here
Not a Member? You can Register Here
As a registered member you will have access to the VoIP Speed Test, Vonage Service Announcements and post comments in the
Vonage VoIP Forums

Vonage Stock Price
Value: 6.99
Change:   N/A
Up to 15 Minute Delay

Site Search
 






†AK and HI residents pay $29.95 shipping. ††Limited time offer. Valid for residents of the United States (&DC), 18 years or older, who open new accounts. Offer good while supplies last and only on new account activations. One kit per account/household. Offer cannot be combined with any other discounts, promotions or plans and is not applicable to past purchases. Good while supplies last. Allow up to 2 weeks for shipping. Other restrictions may apply.

1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.

2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.

HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments, all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.

** Certain call types excluded.

www.vonage-forum.com is not an official Vonage support website & is independently operated.
All logos and trademarks are property of their respective owners. All comments are property of their posters.
All other www.vonage-forum.com content is © Copyright 2002 - 2013 by 4Sight Media LLC.

Thinking of signing up for Vonage but have questions?
Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074
No Vonage Promotion Code or Coupon Codes are required at www.vonage.com to receive any special,
best Vonage cheap deals, free sign up offers or discounts.

[ | | | | | ]

Vonage Forum Site Maps

Vonage | VoIP Forum | How VoIP Works | Wiring and Installation Page Two | International Rate Plans 2 | Internet Phone
Promotion | Vonage Review | VoIP | Broadband Phone | Free Month | Rebate | Vonnage | Vontage | VoIP | Phone Service
Phone | llamadas ilimitadas a Mexico | Latest News | VoIP Acronyms | Deal | Philippines Globe Phone | Site Maps

The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal.
If you are considering signing up for Vonage and have found our Vonage News, Customer Reviews, Forums
& all other parts of this site useful, please use our Vonage Sign up page.


Vonage VoIP Phone Service is redefining communications by offering consumers
& small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.73 Seconds and 430 Pages In The Last 60 Seconds
The Vonage VoIP Forum