VoIP: SIP-over-TLS and sRTP: AudioCodes

Fancy webpage, in business since 1993, many customers. Their phones come either for Microsoft Teams, (Microsoft) Skype for Business (SFB; former Lync) or Generic (non-SFB). The latter is VoIP/SIP and can be used with Digium Asterisk for example. Their updates are posted on Citrix ShareFile. Let us have a look!

Last tested firmware

2.2.16.142.12 (Documentation)
retested in Oct. 2019 with 2.2.16.251
retested in May 2020 with 2.2.16.376

Configuration

Password:	admin/1234 Web → Management → Administration → Users
HTTPS:	enabled on default changeable via provisioning interface only (security/web/…)
Update:	Web → Management → Manual Update → Firmware Upgrade
Trust Anchors:	Web → Configuration → Security → Root CA Certificates
SIP-URI User:	Web → Configuration → VoIP over IP → Line Settings → Line Number: 1 → User ID Web → Configuration → VoIP over IP → Line Settings → Line Number: 1 → Authentication User Name
SIP-URI Host:	Web → Configuration → VoIP over IP → Signaling Protocols → (SIP Proxy and Registrar) Use SIP Proxy: Enable Web → Configuration → VoIP over IP → Signaling Protocols → (SIP Proxy and Registrar) Proxy IP Address or Host Name Web → Configuration → VoIP over IP → Signaling Protocols → (SIP Proxy and Registrar) Proxy Port: 5061 Web → Configuration → VoIP over IP → Signaling Protocols → (SIP Proxy and Registrar) Use SIP Proxy IP and Port for Registration: Enable Web → Configuration → VoIP over IP → Services → (Application Server) Type: Generic
SIP-over-TLS:	Web → Configuration → VoIP over IP → Signaling Protocols → (SIP General) SIP Transport Protocol: TLS
SDES-sRTP:	Web → Configuration → VoIP over IP → Media Streaming → (SRTP) Encryption and Authentication: SUPPORT ENCRYPTION which is RTP/AVP with crypto

Software Bugs

SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
DNS-SRV:	missing; therefore DNS-NAPTR missing, too
Audio:	G.722 advertises the wrong bitrate (16000) on default Mitigation: Web → Configuration → VoIP over IP → Media Streaming → (Codecs) 1^st Codec: G.722/8000
Session Timers:	broken; SIP UPDATE even if not supported
Phone Display:	Line Label (voip/line/0/description) is not shown instead of Display Name (voip/line/0/extension_display) in the idle screen on the phone
IP Port Source:	not random on default, 1024 always not the actual port but 5061 in the SIP headers `Via` and `Contact` Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead

Security

Bugs:	SIP-over-TLS without authentication (no Hostname Validation), ~~missing TLS_ECDHE_[RSA\|ECDSA]_WITH_AES_128_GCM_SHA256,~~ fixed Cipher Suites include RC4 (even MD5) ~~and Single-DES~~ improved built-in certificates cannot be viewed
Privacy:	SIP messages contain MAC
Responsible Disclosure:	not available, I had to write a postal letter
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

Call Reject (UDUB): Web → Configuration → VoIP over IP → Services → (General Parameters) Reject Code: 486
time on display cannot be disabled
(date is displayed as Name of Day, Day, Name of Month)
- Web → Configuration → Advanced Applications → Date and Time → Daylight Saving Time
  This should allow timezone changes in the future, even in case of no firmware update.
- Phone → Settings → Date and Time → Time format: 24h
Web → Configuration → Personal Settings → Tones → (Regional Settings) Current Location: Germany

Model Range

440HD, 430HD, 420HD, 405HD (tested), 405

C450HD, 450HD, and 445HD seem SFB-only because I cannot find a Generic firmware for those, and are called UCC450HD, UC450HD, and UC445HD.

Power Supply

12 V 1 A, Coaxial: 5.5 mm × 2.5 mm

← back to the other phones.