Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




9 posts

Wannabe Geek


Topic # 185808 6-Dec-2015 18:57
Send private message

Hi all,

My friend who is using Fibre at home just gave me their Vodafone provided HG659 router and I noticed there is a major potential security problem on the VoIP setting somewhere.

What happens is I was trying to use it as a standalone AP but failed as described in
http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=185148

So, I also upgraded its firmware to the latest, i.e. this one as well as reset the router to factory default several times
http://help.vodafone.co.nz/app/answers/detail/a_id/24400/

Since I failed to make it work as a standalone AP by having HG659's WAN port connected to the LAN port of my internet connected router, I decide to connect the HG659 router's WAN port directly to the Fibre modem. Not surprisingly, HG659 acquires internet access this way.

However, once it is internet connected, it also manage to download VoIP configurations from somewhere and its VoIP light is green, i.e. the VoIP setting is successfully registered and working. Inspection of the router's VoIP page shows my friend's home number is showing on the VoIP page.

The point is I have already reset the router to factory default and also upgraded its firmware, so there is no way the VoIP settings is coming from the router. I am 100% sure the VoIP page is blank before the HG659 router is connected to internet. In fact, I had tested this at least twice and I am 100% sure the setting magically appears by itself.

I have also checked with my Friend who said their Vodafone fibre account is cancelled and they are now using Spark instead.

Does anyone know what is going on with the HG659 router? or do you know how to stop this?
It seems that the router is downloading VoIP settings from Vodafone or similar...

This is a security problem and have great potential to cause problems to those who sold their unused HG659 routers because someone else now have full access to their landline home phone. (There are plenty of people selling Vodafone provided HG659 routers on trademe....)

Filter this topic showing only the reply marked as answer Create new topic
4410 posts

Uber Geek
+1 received by user: 1245


  Reply # 1441484 6-Dec-2015 19:01
5 people support this post
Send private message

So it's a Vodafone router that has Vodafone firmware, and is auto provisioning from Vodafone? That's normal behaviour for Vodafone supplied hardware, not a security flaw.

It's MAC address will be tied to the account that Vodafone mailed it out to when new.



9 posts

Wannabe Geek


  Reply # 1441488 6-Dec-2015 19:10
Send private message

RunningMan: So it's a Vodafone router that has Vodafone firmware, and is auto provisioning from Vodafone? That's normal behaviour for Vodafone supplied hardware, not a security flaw.

It's MAC address will be tied to the account that Vodafone mailed it out to when new.


The point is why Vodafone didn't stop the "auto provisioning" when that internet/phone account is already closed with them?

 
 
 
 


25464 posts

Uber Geek
+1 received by user: 5269

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1441491 6-Dec-2015 19:19
2 people support this post
Send private message

The hardware remains the property of Vodafone.

This particular issue has been discussed numerous times on here and elsewhere. The fact it's well known and Vodafone are fully aware of this suggests nothing will change with their processes.



919 posts

Ultimate Geek
+1 received by user: 177


  Reply # 1441492 6-Dec-2015 19:30
Send private message

It is possible to de-register the modem through their portal.

More details here:
http://www.geekzone.co.nz/forums.asp?forumid=40&topicid=138038&page_no=2#954066



9 posts

Wannabe Geek


  Reply # 1441497 6-Dec-2015 19:53
Send private message

yitz: It is possible to de-register the modem through their portal.

More details here:
http://www.geekzone.co.nz/forums.asp?forumid=40&topicid=138038&page_no=2#954066


Thanks... I didn't know this was previously discussed here.

Vodafone really should just remove the router from auto provision automatically when the account is closed or similar. This is obviously Vodafone's laziness for failing to warn customers and failure to remove account when people expected they do the right thing.

What happens if the account is closed and it is no longer possible to login to the Vodafone account?
The link says one needs to login to the account. I see post earlier in the thread says call Vodafone, which departments handle this?

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1441574 6-Dec-2015 21:40
Send private message

0800 438448

711 posts

Ultimate Geek
+1 received by user: 320

Trusted

  Reply # 1442180 7-Dec-2015 16:32
Send private message

ericwong: ... My friend who is using Fibre at home just gave me their Vodafone provided HG659 .. said their Vodafone fibre account is cancelled
It seems that the router is downloading VoIP settings from Vodafone or similar... This is a security problem and have great potential to cause problems to those who sold their unused HG659 routers because someone else now have full access to their landline home phone....


Yeah, our modems automatically download their settings. This is working as designed. We have serial numbers associated with logins and SIP details. VOiP users need to use the modem we provide them for their phone line to work. If the account is closed you won't be able to make calls from that SIP line. The customer can log in to My Vodafone to disable automatic provisioning for devices, or call through to our team on 0800 438 448 and they can do it too.

sbiddle: The hardware remains the property of Vodafone.

The cable modems do but not the HG659 and other adsl etc modems.

1912 posts

Uber Geek
+1 received by user: 604

Subscriber

  Reply # 1449400 12-Dec-2015 22:10
Send private message

Equivalent thing happened to me. Except it was with Snap. My parents wanted to signup but didn't want to pay for a Fritzbox. So I gave them my 7360 that I wasn't using. They plugged it in and said that internet was working but not phone. It turned out it had auto configured with all my details, And they were using the net through my account. Had to phone Snap and get them to transfer the fritzbox to the parents account.

And 1 month after that was when Snap rebranded to 2degrees, Meaning they would have gotten a free fritzbox anyway.





2055 posts

Uber Geek
+1 received by user: 613

Subscriber

  Reply # 1449518 13-Dec-2015 04:01
Send private message

If it's that much of an issue put the Spark firmware on it. 



9 posts

Wannabe Geek


  Reply # 1449580 13-Dec-2015 10:36
Send private message

lxsw20: If it's that much of an issue put the Spark firmware on it. 

Good idea.. will do that if I can't get it solved in the limited time frame I have but this can't stop someone reflashing it back to Vodafone firmware and it might cause problems.

Guess what, the landline phone number is now confirmed to be with Spark and working as expected now but Vodafone also confirmed the same phone number is "active" with them too. As an independent check, the Vodafone router is still able to retrieve VoIP details automatically when connected to the Vodafone network, it is able to login and it shows the landline number as active and online.

I don't understand how can a single phone number be active with two different providers at the same time?
It simply does not make any sense... Anyone have similar experience?

3136 posts

Uber Geek
+1 received by user: 965

Subscriber

  Reply # 1449676 13-Dec-2015 14:42
One person supports this post
Send private message

ericwong:
lxsw20: If it's that much of an issue put the Spark firmware on it. 

Good idea.. will do that if I can't get it solved in the limited time frame I have but this can't stop someone reflashing it back to Vodafone firmware and it might cause problems.

Guess what, the landline phone number is now confirmed to be with Spark and working as expected now but Vodafone also confirmed the same phone number is "active" with them too. As an independent check, the Vodafone router is still able to retrieve VoIP details automatically when connected to the Vodafone network, it is able to login and it shows the landline number as active and online.

I don't understand how can a single phone number be active with two different providers at the same time?
It simply does not make any sense... Anyone have similar experience?


Vodafone will just have the VoIP account still active on their server - this doesn't mean it will actually receive calls.

If the number has been ported to Spark then the routing tables will have been updated to direct calls to the new condition allowing the "new" number to receive calls.



9 posts

Wannabe Geek


  Reply # 1450207 14-Dec-2015 15:42
Send private message

 
Vodafone will just have the VoIP account still active on their server - this doesn't mean it will actually receive calls.

If the number has been ported to Spark then the routing tables will have been updated to direct calls to the new condition allowing the "new" number to receive calls.


Vodafone do mean they have the landline number still active on their end while it is also active with Spark. Vodafone also said they did not receive any requests (incl porting) from Spark (or anywhere else), this means the number will not be automatically removed at all.

The only way this is resolved is to ask Vodafone to cancel/remove the landline number on their end. Something that shouldn't be required.

FYI, this issue had took me at least 5 separate phone calls plus a complain to Vodafone. (Yes, there are additional calls made to Spark too...)

Filter this topic showing only the reply marked as answer Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.