Scott Walde wrote:
> I sent an online Tech support request detailing the problem and
> indicating that I considered it a very serious security concern, as it
> could financially affect me, as my account automatically bills my CC for
> toll usage.
> By the way, Aastra at least has encrypted files for this exact purpose.
> I'm sure it would be possible to reverse engineer the key from the
> firmware, but at least it's 100x harder to do than cleartext. (I'm
> configuring some Aastra SIP gear at the moment.)
If they were smart, the blank boxes for the SIP provisioning at the
centre in Regina (or where ever they are) would have a keypair generated
before they are sent in the field, with the public key stored in
Sasktel's keyring and the private key stored in the box. That way, if
someone does manage to dump the private key, it gets them nothing.
In the meantime, Sasktel's pairing would also be in the box (public key,
this time), so that each SIP connection could be trivially
authenticated, and you could also use it to establish a session key for
encrypted VOIP.
Security seems to be a secondary concern for too many companies :p
Received on Mon Dec 11 16:17:34 2006
This archive was generated by hypermail 2.1.8 : Mon Dec 11 2006 - 16:17:42 CST