Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




9 posts

Wannabe Geek


Topic # 185808 6-Dec-2015 18:57
Send private message

Hi all,

My friend who is using Fibre at home just gave me their Vodafone provided HG659 router and I noticed there is a major potential security problem on the VoIP setting somewhere.

What happens is I was trying to use it as a standalone AP but failed as described in
http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=185148

So, I also upgraded its firmware to the latest, i.e. this one as well as reset the router to factory default several times
http://help.vodafone.co.nz/app/answers/detail/a_id/24400/

Since I failed to make it work as a standalone AP by having HG659's WAN port connected to the LAN port of my internet connected router, I decide to connect the HG659 router's WAN port directly to the Fibre modem. Not surprisingly, HG659 acquires internet access this way.

However, once it is internet connected, it also manage to download VoIP configurations from somewhere and its VoIP light is green, i.e. the VoIP setting is successfully registered and working. Inspection of the router's VoIP page shows my friend's home number is showing on the VoIP page.

The point is I have already reset the router to factory default and also upgraded its firmware, so there is no way the VoIP settings is coming from the router. I am 100% sure the VoIP page is blank before the HG659 router is connected to internet. In fact, I had tested this at least twice and I am 100% sure the setting magically appears by itself.

I have also checked with my Friend who said their Vodafone fibre account is cancelled and they are now using Spark instead.

Does anyone know what is going on with the HG659 router? or do you know how to stop this?
It seems that the router is downloading VoIP settings from Vodafone or similar...

This is a security problem and have great potential to cause problems to those who sold their unused HG659 routers because someone else now have full access to their landline home phone. (There are plenty of people selling Vodafone provided HG659 routers on trademe....)

Filter this topic showing only the reply marked as answer Create new topic
4429 posts

Uber Geek
+1 received by user: 1256


  Reply # 1441484 6-Dec-2015 19:01
5 people support this post
Send private message

So it's a Vodafone router that has Vodafone firmware, and is auto provisioning from Vodafone? That's normal behaviour for Vodafone supplied hardware, not a security flaw.

It's MAC address will be tied to the account that Vodafone mailed it out to when new.



9 posts

Wannabe Geek


  Reply # 1441488 6-Dec-2015 19:10
Send private message

RunningMan: So it's a Vodafone router that has Vodafone firmware, and is auto provisioning from Vodafone? That's normal behaviour for Vodafone supplied hardware, not a security flaw.

It's MAC address will be tied to the account that Vodafone mailed it out to when new.


The point is why Vodafone didn't stop the "auto provisioning" when that internet/phone account is already closed with them?

 
 
 
 


25575 posts

Uber Geek
+1 received by user: 5353

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1441491 6-Dec-2015 19:19
2 people support this post
Send private message

The hardware remains the property of Vodafone.

This particular issue has been discussed numerous times on here and elsewhere. The fact it's well known and Vodafone are fully aware of this suggests nothing will change with their processes.



934 posts

Ultimate Geek
+1 received by user: 179


  Reply # 1441492 6-Dec-2015 19:30
Send private message

It is possible to de-register the modem through their portal.

More details here:
http://www.geekzone.co.nz/forums.asp?forumid=40&topicid=138038&page_no=2#954066



9 posts

Wannabe Geek


  Reply # 1441497 6-Dec-2015 19:53
Send private message

yitz: It is possible to de-register the modem through their portal.

More details here:
http://www.geekzone.co.nz/forums.asp?forumid=40&topicid=138038&page_no=2#954066


Thanks... I didn't know this was previously discussed here.

Vodafone really should just remove the router from auto provision automatically when the account is closed or similar. This is obviously Vodafone's laziness for failing to warn customers and failure to remove account when people expected they do the right thing.

What happens if the account is closed and it is no longer possible to login to the Vodafone account?
The link says one needs to login to the account. I see post earlier in the thread says call Vodafone, which departments handle this?

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1441574 6-Dec-2015 21:40
Send private message

0800 438448

714 posts

Ultimate Geek
+1 received by user: 322

Trusted

  Reply # 1442180 7-Dec-2015 16:32
Send private message

ericwong: ... My friend who is using Fibre at home just gave me their Vodafone provided HG659 .. said their Vodafone fibre account is cancelled
It seems that the router is downloading VoIP settings from Vodafone or similar... This is a security problem and have great potential to cause problems to those who sold their unused HG659 routers because someone else now have full access to their landline home phone....


Yeah, our modems automatically download their settings. This is working as designed. We have serial numbers associated with logins and SIP details. VOiP users need to use the modem we provide them for their phone line to work. If the account is closed you won't be able to make calls from that SIP line. The customer can log in to My Vodafone to disable automatic provisioning for devices, or call through to our team on 0800 438 448 and they can do it too.

sbiddle: The hardware remains the property of Vodafone.

The cable modems do but not the HG659 and other adsl etc modems.

1965 posts

Uber Geek
+1 received by user: 628

Subscriber

  Reply # 1449400 12-Dec-2015 22:10
Send private message

Equivalent thing happened to me. Except it was with Snap. My parents wanted to signup but didn't want to pay for a Fritzbox. So I gave them my 7360 that I wasn't using. They plugged it in and said that internet was working but not phone. It turned out it had auto configured with all my details, And they were using the net through my account. Had to phone Snap and get them to transfer the fritzbox to the parents account.

And 1 month after that was when Snap rebranded to 2degrees, Meaning they would have gotten a free fritzbox anyway.





2067 posts

Uber Geek
+1 received by user: 617

Subscriber

  Reply # 1449518 13-Dec-2015 04:01
Send private message

If it's that much of an issue put the Spark firmware on it. 



9 posts

Wannabe Geek


  Reply # 1449580 13-Dec-2015 10:36
Send private message

lxsw20: If it's that much of an issue put the Spark firmware on it. 

Good idea.. will do that if I can't get it solved in the limited time frame I have but this can't stop someone reflashing it back to Vodafone firmware and it might cause problems.

Guess what, the landline phone number is now confirmed to be with Spark and working as expected now but Vodafone also confirmed the same phone number is "active" with them too. As an independent check, the Vodafone router is still able to retrieve VoIP details automatically when connected to the Vodafone network, it is able to login and it shows the landline number as active and online.

I don't understand how can a single phone number be active with two different providers at the same time?
It simply does not make any sense... Anyone have similar experience?

3159 posts

Uber Geek
+1 received by user: 975

Subscriber

  Reply # 1449676 13-Dec-2015 14:42
One person supports this post
Send private message

ericwong:
lxsw20: If it's that much of an issue put the Spark firmware on it. 

Good idea.. will do that if I can't get it solved in the limited time frame I have but this can't stop someone reflashing it back to Vodafone firmware and it might cause problems.

Guess what, the landline phone number is now confirmed to be with Spark and working as expected now but Vodafone also confirmed the same phone number is "active" with them too. As an independent check, the Vodafone router is still able to retrieve VoIP details automatically when connected to the Vodafone network, it is able to login and it shows the landline number as active and online.

I don't understand how can a single phone number be active with two different providers at the same time?
It simply does not make any sense... Anyone have similar experience?


Vodafone will just have the VoIP account still active on their server - this doesn't mean it will actually receive calls.

If the number has been ported to Spark then the routing tables will have been updated to direct calls to the new condition allowing the "new" number to receive calls.



9 posts

Wannabe Geek


  Reply # 1450207 14-Dec-2015 15:42
Send private message

 
Vodafone will just have the VoIP account still active on their server - this doesn't mean it will actually receive calls.

If the number has been ported to Spark then the routing tables will have been updated to direct calls to the new condition allowing the "new" number to receive calls.


Vodafone do mean they have the landline number still active on their end while it is also active with Spark. Vodafone also said they did not receive any requests (incl porting) from Spark (or anywhere else), this means the number will not be automatically removed at all.

The only way this is resolved is to ask Vodafone to cancel/remove the landline number on their end. Something that shouldn't be required.

FYI, this issue had took me at least 5 separate phone calls plus a complain to Vodafone. (Yes, there are additional calls made to Spark too...)

Filter this topic showing only the reply marked as answer Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33


Vocus NZ sale and broadband competition
Posted 6-Nov-2017 14:36


Hawaiki reaches key milestone in landmark deep-sea fibre project
Posted 4-Nov-2017 13:53


Countdown launches new proximity online shopping app
Posted 4-Nov-2017 13:50


Nokia 3310 to be available through Spark New Zealand
Posted 4-Nov-2017 13:31


Nest launches in New Zealand
Posted 4-Nov-2017 12:31


Active wholesale as Chorus tackles wireless challenge
Posted 3-Nov-2017 10:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.