Security Issues for Owners of BT’s Cloud Voice Handsets and Other IP Phones
Businesses that decide to sell their unwanted BT Cloud Voice handsets on eBay need to take extra care because some models, such as the Yealink W60P phones, may retain the prior customer’s account credentials. As a result, those who purchase them could find that they’re able to make calls on another person’s account.
The situation came to light after one of ISPreview.co.uk’s readers, Chris, purchased two second hand BT Cloud Voice handsets – via two different sellers – off the popular internet auction site (i.e. small businesses are sometimes given handsets that they don’t end up using, which eventually make their way to places such as eBay). The mistake here is to assume that such handsets are just like regular phones.
Unlike regular dumb phone handsets, those on BT’s Cloud Voice platform – and other IP phone platforms – are often designed to “work out-of-the-box.” In the case of the two Yealink W60P DECT IP phones, they come pre-registered to Yealink’s cloud-based management services, which is something that some owners haven’t realised.
According to Chris, “BT have set these phones up to autoconfigure using Yealink’s cloud-based management services, this means even if factory reset and flashed with new firmware, they call home to Yealink with their MAC address, where they retrieve their configuration settings, reboot and then are automatically logged into someone’s BT Voice account. The phone is then able to make and receive calls with someone else’s telephone number.”
A quick look at BT’s website, FAQs and T&Cs suggests that this behaviour isn’t being made clear to people. Indeed, there are no stickers on the box or anything in the T&Cs that would forbid reselling the hardware, or with clear warnings that the device is locked to the customer’s account and number. Suffice to say, it would be all too easy for customers to think they can simply be sold off, when in fact doing so may expose your account.
A Spokesperson for BT told ISPreview.co.uk:
“We use industry standards in order for Cloud Voice to work out-of-the-box and deliver the best customer experience possible. In the case that a supplied device is no longer used for the service that it was intended for, the customer must remove the device from the BT service via the self-serve Digital Portal or inform their BT service team.
Our terms and conditions do state that the customer is responsible for the proper use of purchased equipment and they must take the necessary steps to ensure their devices and account details are kept confidential, secure and not made available to unauthorised persons.
We do recognise however that the steps to disassociate a device from the service could be better set out in our customer communications, and we will look to explore this internally and make improvements where necessary.”
On the one hand, it’s easy to understand why operators would be seeking to make such systems as easy as possible to setup and use out of the box. But at the same time, we’re surprised that some basic customer checks aren’t first being performed in order to prevent use by unauthorised individuals (e.g. requesting details that only the original owner would know).
“With a bit of network knowledge and packet capture, it is possible to reuse these devices. By blocking the IP addresses used to dial into Yealink’s servers followed by factory reset (possible by powering up using the single button on the base station to reset it, the only option as the UI password is changed by BT), it will reboot, fail to reach Yealink and so just behaves like any Yealink bought from a shop. So, these devices aren’t locked to BT, they work independently, just that they always want to fetch the configuration settings from BT and override anything else set,” added Chris.
BT’s Cloud Voice service is by no means the only such VoIP style platform to work in this way (many of them do), and they’ll only become more common as IP-based phone services start to increasingly replace traditional handsets over the next few years. But ordinary consumers, such as those who, until now, have had no previous experienced IP phones, may be unaware of caveats like this one and how to deal with them.
Suffice to say, don’t just assume that a factory reset is all you need to do, sometimes extra steps may be required to fully disassociate your account from the device first before selling or returning it to prevent the risk of abuse (assuming resale of kit is allowed by your broadband ISP).
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« The UK Gov’s Technical Definition of Gigabit Capable Broadband
Latest UK ISP News
- FTTP (5515)
- BT (3514)
- Politics (2537)
- Openreach (2297)
- Business (2262)
- Building Digital UK (2244)
- FTTC (2043)
- Mobile Broadband (1973)
- Statistics (1788)
- 4G (1664)
- Virgin Media (1619)
- Ofcom Regulation (1461)
- Fibre Optic (1395)
- Wireless Internet (1389)
- FTTH (1381)
…so like most VOIP phones then. This is not Yealink specific, nor BT specific.
Why would you buy this crap?
What would you recommend?
@James
I recommend not buying it.
It comes free with BT Businesss Broadband, like it or not.
This isn’t a BT or Yealink specific problem. In my home I have bought these Yealinks and a few Polycoms and out of 8 devices i bought used on eBay over the years 2 phones have cone with a full working service as the old owner who sold them to me didn’t remove or change the password. Of course when buying these things new they should tell the ownera to reset the devices before giving them away.
The issue is a factory reset doesn’t make a difference on these devices. All BT do is scan the MAC code into Yealinks cloud services then ship them out, the device itself isn’t customised or any different from one bought in a shop. When they boot up the first thing they do is query Yealink who then feed the relevant configuration settings having seen the MAC in their database. You can factory reset all day and each time it will set itself back up.
@Phil
The BT Biz supplied Yealink handsets are locked to BT and definitely not the same as buying factory unlocked models ( I’ve used them). So out of box they won’t work with a different SIP service nor do BT show your SIP login credentials on the handsets for obvious reasons. The ‘reset’ setting is greyed out on these handsets. I guess someone with the right knowledge could hack into these but your average user certainly won’t be able to.
@Matt The units supplied by BT are exactly the same as shop bought ones. They don’t come preconfigured or “locked” to any network. All Yealinks, wherever they come from will phone home to Yealink on booting up. To auto provision for BT Voice, BT scan the MAC code into Yealink’s cloud system before shipping, and tell Yealink’s system what configuration is required. When the unit boots up, it checks Yealink’s servers to see if it has configuration settings it should download, a shop bought one would simply get a no match and continue to boot with default settings, a BT Voice one is told to load all the necessary configuration data, this includes resetting the default password and if necessary reflashing the firmware. The unit then reboots with the new settings including account details and its logged on to BT Voice. Yealink have basically made it so that any VoIP provider can configure everything using the “cloud” including some branding on the UI without needing to open the box of the device or use customised firmware. It’s a great system, however BT haven’t implemented any security. It is possible to make the auto configuration dependant on a username and password being entered first, but I guess BT have not done this in order to make it as plug and play as possible, i.e. emulate a landline that you only have to plug in for it to work. The units can be factory reset without access to the UI by using the button on the base station, but with Internet access they simply reboot to factory defaults, which prompts it call into Yealink again and go through the same configuration process, so back to where you started.
@Matt to clarify. If you want to use a Yealink BT supplied unit with different VoIP settings then two options. 1) Use a firewall to block access to Yealink cloud servers, factory reset and the device will reboot, be unable to query for settings, and then default to being a ‘normal’ Yealink, and you can log in with the default password and from here on it’s just like any shop purchased Yealink. Just be aware that it could potentially at some point reconfigure itself if it manages to reach Yealink in the future 2) You can try contacting BT or Yealink support and get them to remove the device from their system, then factory reset, and now when it queries Yealink it’s not given any settings.
Pretty sure you have to return these handsets back to BT Biz after ceasing/cancelling your services, at least that’s what I had to do. I suspect those who flogged these on eBay may well end up being charged by BT if/when they stop their services.
You might be right, but as per the article, the other issue is that BT doesn’t make that clear via their website or on the product itself, and it’s difficult to know which terms are now relevant to the BT Cloud Voice service. Communication needs improvement.
This is also the way many ATA are shipped as well, connecting to service to provision themselves.
Indeed, but usually ATAs will come preconfigured, i.e. someone takes it out the box, loads it up with a configuration file, pops it back in the box and ships it to you, if you factory reset you would typically lose the configuration and it’s safe to pass on to someone else. The issue with BT Voice (using Yealink and other manufacturers implementing cloud management) is the phones are not preconfigured, they configure themselves automatically the first time the are turned on or after a factory reset, and with BT Voice, they require no credentials to prove it’s your phone, they just blinding connect and pull all the configuration details down and give you a phone number, which if you have sold it on, you will not want as it is your phone number on your bill. BT don’t seem to spell this out, so unsuspecting customers are selling them on, and to be fair they probably don’t know anything about VoIP and just think it’s like a landline and so it gets the phone number of the socket its plugged into like they’ve always worked, of course this isn’t the case with VoIP.
I remember when my company was moving to an IP based PBX and phones, we were deciding on which handsets to use, and bought a Panasonic IP phone. It kept resetting its configuration all the time, even after factory resetting it. Even returned it to the retailer thinking it was faulty somehow. They couldn’t explain why it was doing this themselves. Later on when we decided to go with Yealink phones, I realised that this was standard behaviour for phones that are pre-provisioned (That Panasonic phone must have been a cancelled order, or someone messed up).
The auto provisioning is actually really handy, even within a company where you have to deploy hundreds of phones internally like we do.
Maybe IP phones should shipped sans MAC address. That then, being assigned and shipped on a SIM. Consumers are used to inserting a SIM to get a connection to work or taking it out before selling on a Mobile. Same process would then apply to IP phones tied to your account.
A totally dreadful idea.
This isn’t specific to BT or Yealink, pretty much all VOIP providers supplying handsets for their own service do this. The way it actually works is the provider registers the handset in the manufacturer’s system, and the manufacturers server simply tells the handset the address of the providers own provisioning server, which then does the heavy lifting.
It can also happen when you buy handsets from distributors too. I bought some Grandstream handsets for clients which came pre-registered in Grandstream’s system to be configured by the distributors own provisioning server (for their own VOIP service). When I queried them about it, they initially told me that it didn’t really matter because the handsets weren’t actually registered on their own server, so the registration didn’t override anything. However they failed to realise that this also prevented the handsets being used with anybody elses provisioning server, including Grandstream’s own GDMS service. Happily they removed the MAC address registrations, but I still have to remember to email them to remove the MAC addresses every time I buy new handsets.
Both BT Cloud Voice and BT Cloud Phone portals include facilities to add or delete new devices (licences) and no doubt there is an assumption someone is actively managing them. The issue may arise though on SME with a small number of lines, sending out preconfigured kit and people simply using the pre-setup or express setup.
In most cases if businesses change their equipment or move their service to a new provider it will initiate a change however if a business simply ceases (BT’s risk) or the kit is stolen there may be an issue (customers risk). BT owned equipment should be returned and yes BT really should clearly label their kit and their process however they should also ensure that equipment cannot simply be acquired and used on a customers account.
BT appears to have restricted the reset on the GUI but may not have considered all the scenarios of the connect button reset.
Yealink have come under criticism on their security last year which has prompted two-factor authentication solutions. Perhaps as BT are modifying their firmware they should ensure that if the equipment is moved (network or location) it becomes either an unassigned device or cannot be used until approved or a customer known PIN entered.
I am assuming single line voice over BB services from BT, Sky and VM are protected by some form of additional BB service/router parameter as well as the credentials being hidden from users in the GUI even if the risk is extremely small.
Those using ATAs/VoIP phones need to be made aware that credentials are vulnerable if equipment is stolen or accessed.
Consumer digital voice works in an entirely different way with the Smart Hub 2 doing the heavy lifting. Reselling the handsets would not be an issue (although they belong to BT and are required to be returned at a later date)
Can confirm, the handsets on BT consumer Digital Voice platform are just dect units. The smart hub is locked down to fairly basic settings with no option to view/modify the telephony side of things.
Your own work-from-home sip handsets are fine on UDP 5060 (tested Cisco CUCM & Yealink sip) just plug and play independently.
My understanding is the Yealink handsets above are also DECT. The issue is in the base unit.
So, if you could figure out a way to modify the device’s MAC address, would you be able to use it to obtain other people’s account credentials… I assume there must be some mechanism to prevent it.
There are certificates on the device that are tied to the MAC and locked down pretty well, so unless you can change the certs as well as the MAC, the provisioning server will not authenticate the end device and reject sending config out.
Older provisioning was based on MAC and password and those days were a cesspit of MAC spoofing and password forcing to collect SIP auth credentials, which once collected were promptly used for toll-fraud.
I have another but related issue with BT’s Cloud Voice Service. They sell it on the basis that up to 5 handsets can be used. I purchased some additional handsets on eBay and registered them to base. Although the eBay-purchased handsets register ok, I can’t make calls from them.
I then did a factory reset of the base and registered the eBay handset first, then the handset that BT supplied. Now, the eBay handset works and the BT handset doesn’t. I called BT to provide support for the BT handset that doesn’t work. They told me that the eBay handset has taken the “slot” and to get the BT handset working, I need to remove the eBay handset.
This indicates that they have allocated only 1 handset slot for use (despite advertising that up to 5 handsets can be used). They will only allocate slots according to the number of handsets purchased from BT. I feel this is unfair and restrictive practice. I have complained to BT, and the complaint is at a standoff. I have now raised it to the Ombudsman.
@DavidColemen I think you just need to configure it correctly but it requires access to the web UI. If you download the PDF instructions from BT it should give you some credentials to log in to the web page as a basic user to get to some settings. Basically you need to log in and go to the Account tab then Number Assignment and under Incoming and Outgoing lines make sure the additional handsets are all set for line 1. By default handset 2 gets line 2, handset 3 gets line 3 and so on, but you only have one line, and you want them all to access the same line in your case. There is a forum here as well so might be better to post there if you get no joy.
@Phil. When I log into the admin page, I only ever see 1 handset despite more than 1 being registered to the base. I’ve tried resetting the base at my end and via the admin page, but get the same result… only ever 1 handset. When I called them, they said that “the third-party handset is taking the slot of the BT handset”. Unless there’s a fault somewhere, it seems that only 1 handset can ever be recognised at BT’s end.
@David Coleman I’d recommend posting in the forum as it will be easier. BT at their end don’t care how any many handsets are on the base station. It is only the base station talking to BT, the handsets just talk to the base station, so seems to be configuration issue that I’m sure can be solved.
@Phil I’ve chatted this through on a few forums now and there are numerous people having the same problem, and not a single person with a solution. Although it’s possible to pair multiple handsets with a base and make intercom calls between them, the number of handsets capable of making and receiving external calls is limited to what BT have set it up as. This is not a user configuration issue. It’s a restriction placed on by BT. Many people (including me) are trying to log into the base to see if they can change it in there, but the username/password are not the default ones. And even if you can log into the base and change it, there’s the possibility that the base routinely downloads config from BT on power up or even periodically anyway. I really don’t understand why BT are doing this over the sake of the profit on a £75 handset.
If only I came across this post earlier – would’ve saved me so much time.
My company also use BT Cloud Voice, and had asked that I add a few DECT handsets.
Privately I use Yealink, so I figured I’ll get more of the same via some or other online supplier.
I had registered the MAC, IP, etc., all via the Cloud Voice cPanel, but it refused to work. I literally wasted days on this, and eventually gave up and called BT support.
They too tried and tried, and pretty much tested everything from my haemoglobin levels through to me broadband.
Then finally, someone asked the million dollar question – “did you buy your device from BT” 😐
Apparently only BT supplied equipment would work on their network.
So, having been forced to pay another £100 for BT’s older model Yealink W60B, I went ahead and connected everything – and the next I knew, everything was working.
As per previous posts – prior to the auto-config process, one can briefly access the W60B cPanel, but then soon after it’ll lock you out. I’ve noticed it even takes away a few of the actual handset’s menu options.
I must say, not being able to access the cPanel is a bit annoying, as you lose access to certain features – i.e. directory, codec settings, etc.
Also, if I had access to the W60B cPanel, I would’ve loved to test whether one can use the same settings in order to get a 3rd party device onto the network, and whether or not MAC filtering would prevent this from working.
Some more info here…
https://phm.pw/hacking-a-yealink-device-autoprovisioned-for-bt-voice/
@Dan @Phil It is not the case that “only handset purchased from BT will work”… that is just not true. I received a base and one handset from BT, and then I purchased two handsets from eBay. I registered the BT handset and it worked fine. When I registered the eBay handsets, they didn’t work. However, when I reset the base and registered the eBay handset first, it worked. Then, when I registered the BT handset second, it did not work.
I called BT and they said that the eBay handset had taken the “slot” of the BT handset. In short, because I had purchased one handset from BT, I only had one “slot” for handsets. But any handset can take that “slot”.
I reported a fault that the second handset (the BT handset) wasn’t working. They said that the fix was to remove the eBay handset, which I refused to do. I then made a formal complaint and they registered the complaint and immediately closed it at deadlock. This allowed me to escalate to the Ombudsman, which I did. BT then challenged whether my complaint was within scope of the Ombudsman’s remit, and the Ombudsman rejected the challenge. The next thing, BT offered a financial goodwill gesture to resolve the complaint before the Ombudsman ruling. I have accepted this.
As far as I am concerned, BT have (whether intentionally or not) designed a system that is restrictive and forces customers to buy handsets from them. I suspect that placing an order for a handset triggers three things – (1) The handset picked and shipped, (2) A charge (£75) on the account, (3) Opening another “slot” for a handset for the base.
I would love to know what would happen if a complaint goes all the way to an Ombudsman decision.
How did you register the eBay phone? Where did you get the details to do it?