Comment by ninjin - Hacker Neue

ninjin Jun 10, 2022 parent

Happy SIP user for nearly twenty years, which allows me to bridge three countries. Currently using baresip [1] and finding it to be remarkably reliable, but is there any hardware phone out there that I can put on my desk? Or is the sane thing to do to get a handset and hook it up to a computer via say USB? I have tried at least twice over the years to gain some clarity on these questions, but maybe I am using the wrong search terms?

[1]: https://github.com/baresip/baresip

F00Fbug Jun 10, 2022

Polycom phones are really great... I deployed VOIP for my employer some years ago and put in about 40 Polycom devices in 4 states. They're not cheap, but full featured and very well made.

You could also get an ATA (https://www.amazon.com/Grandstream-HT801-Single-Port-Telepho...) and plug a traditional phone into it. I used one of these at home for a long time. Just realized it's still plugged in an running and I threw out my last analog phone over a year ago!!!

Terry_Roll Jun 10, 2022

And ATA's are an excellent backdoor into computer networks because the caller ID uses an old dialup modem protocol...

ninjin OP Jun 10, 2022

A big thank you to everyone responding with information, apologies for responding only here. It looks like there is indeed still a lot for me to learn, but now I have some pointers. I have been meaning to get my hands dirty with SIP for some time, dreaming of a setup with multiple accounts and control over things like when each account allows incoming calls, etc. But, as Terry_Roll indicated, there seems to be plenty of security considerations as well which makes me somewhat uncomfortable.

Also found the /r/VOIP subreddit [1] which has plenty of reading.

[1]: https://teddit.net/r/VOIP

Nextgrid Jun 10, 2022

Could you elaborate? What's the attack vector here?

Terry_Roll Jun 11, 2022

You have a device that is capable of handling the caller ID standard which passes data using the v23 dial up protocol. https://en.wikipedia.org/wiki/Caller_ID#Regional_differences

Can you remotely update firmware on modems?

Some devices can be updated remotely as these helpful guides explain. https://www.draytek.co.uk/support/guides/fw-remote https://www.ewon.biz/technical-support/pages/firmware/modem-...

So can a specially crafted string from the phone line be used to update firmware on ATA's? If they can handle v23 protocols for Caller ID, this indicates some modem capabilities does it not? So can the device differentiate which interfaces the commands are coming in on?

Why do people implicitly trust the telco's? Here in the UK, if you can get fast broadband, basically anything above ADSL2+, you'll be connected to a Broadcom cabinet. Broadcom have their bugs as well, you can find them on their website, but its a less common attack vector because its not public facing as such, unlike calling a business on their freephone number and then getting a second dial tone like in the old days of phone phreaking.

TLDR is just look at these devices as circuit boards, convention can be used to hide attack vectors and whilst the circuit design can help make a device secure, the easier or more convenient it is to update a device, the easier it is to hack, its not like taking a EEPROM out to blank under UV light and re flash it, is it?

TMSZ Jun 12, 2022

V.23 FSK is just the name of modulation. You can have CLIP receiver as separate IC (https://www.microsemi.com/product-directory/caller-id/4305-m...) or as some DFT code with Goertzel algorithm with maybe 0.1 MIPS DSP budget allowed. No sane person would add full modem capabilities to this.

That said, PABXs I worked with have built-in software modems (both POTS and ISDN, needs to be explicitely enabled) with remote management capability and there is also dedicated web portal for management even if device is behind NAT (paid feature). Whether you want to trust hardware/software you have no control of - that's another story. For "big" PABXs partnership between manufacturer and installers usually lasts for years.

TMSZ Jun 12, 2022

There are some USB "phones" - basically composite USB devices with audio and HID, where HID is used to handle keypad and display (if present). I'm using very cheap EX-03 "Skype" phone: https://tomeko.net/software/SIPclient/EX03.php but similar devices are also made by big brands, they are just more expensive (Polycom CX300, Plantronics Calisto, Yealink MP50 maybe?) and probably undocumented.

js2 Jun 10, 2022

If I understand what you're asking, I use an Obihai VoIP adapter so I can use any old phone, but there are also a variety of IP phones from Cisco, Obihai, etc.

nikau Jun 11, 2022

If you dont care about warranty you can pick up cisco voip phones dirt cheap on ebay.

A cisco 7940 is rock solid and go for around 10 dollars, the only caveat is you will need a poe switch for 48 volt power and a custom cable as they use nonstandard voltage pinout.

TMSZ Jun 12, 2022

The other caveat is that time spent configuring, troubleshooting and later maintaining them would be worth much more than 10 dollars. Their use is discouraged by many SIP providers (https://teamhelp.sipgate.co.uk/hc/en-gb/articles/204210961-C...) and they have multiple issues not obvious at first glance, like limited character set for Display Name. This might be worth though for 100+ phones in a single location.

anderiv Jun 10, 2022

There are tons of SIP-compatible phones out there. If all you need is access to a single SIP account, the Grandstream GXP1610 is very inexpensive (~$40 US) and will do the trick. They also have more expensive models that support SIP accounts.

Nextgrid Jun 10, 2022

Most business-grade desk phones support SIP.

anderiv Jun 10, 2022

This is true. I will give the caveat, though, that some of these are vendor-locked. Meaning: you can't easily use them with 3rd party SIP providers.

So, just be aware of this and do your homework on specific brands/models before purchasing to ensure you'll get something that will work for you.

This item has no comments currently.

Preferences

Keyboard Shortcuts

Story Lists

Navigation

Miscellaneous