VoIP: SIP-over-TLS and sRTP: Obihai

Obihai was famous for their Google Voice support. Google Voice is split into a variant for work (Google Voice for G Suite; selected countries) and a variant for personal use (currently Contiguous United States only). Furthermore, those devices come with their own VoIP service called OBiTALK. Nevertheless, these devices support Open-SIP and allow many VoIP/SIP services. Obihai was bought by Polycom which was bought by Plantronics, which was renamed to Poly. The former Obihai phones were replaced by the VVX x50 Series OBi Edition phones, and their operating system is called Polycom OBi Edition Software. You can convert a phone with the Polycom UC Software (UCS) to the Polycom OBi Edition Software: Guide.

Last tested firmware

6.3.1 (Administration Guide)
retested in Oct. 2019 with 6.4.0
retested in May 2020 with 6.4.1

Configuration

Password: admin/admin
Web → System → Device Admin → Web Server
HTTPS: not available
Update: A) download this file and go for Web → System → Device Update → Firmware Update, or
B) Web → System → Auto Provisioning → (Auto Firmware Update) Method: System Start → FirmwareURL: Paste the link of your Yes
Trust Anchors: Web → System → Device Admin → Platform CA → DownloadURL: Base64
Certificate Management was added with firmware 6 and is like Polycom UC Software: In each TLS client, you have to select a profile. The profile states, which certificate(s) to use. The certificates are loaded remotely. With the OBi Edition Software, you can add only two trust anchors. ‘All’ does not allow all certificates but the built-in certificates (default value) plus the two certificates you added.
SIP-URI User: Web → Voice Services → SP1 → AuthUserName
SIP-URI Host: Web → Service Providers → ITSP Profile A → SIP → ProxyServer
SIP-over-TLS: Web → Service Providers → ITSP Profile A → SIP → ProxyServerTransport: TLS
… X_VerifyServerDomain: Yes
firmware 6: … X_TLSSecurityProfile: 2
Web → System → Device Admin → TLSPlatform Profile 2 → CipherSuite
firmware 5: Web → System → WAN → Internet → OpenSSLCiphers
uses the list DEFAULT of OpenSSL (firmware 5: OpenSSL 1.0.1; firmware 6: OpenSSL 1.0.2) which includes outdated Cipher Suites like RC4 (even MD5). Furthermore, that value has to start with ‘DEFAULT’. Recommendation: DEFAULT:-ALL:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:-COMPLEMENTOFDEFAULT
SDES-sRTP: Web → Voice Services → SP1 → X_SRTP: Use SRTP When Possible
which is RTP/SAVP + RTP/AVP

Software Bugs

DNS-SRV: uses _sip._tls instead of _sips._tcp
DNS-NAPTR: does not TLS but TCP or UDP only
AES-256 sRTP: accepted although not supported; therefore no audio
SHA-2 Digest: ignores algorithm and picks first; therefore incompatible with Linphone

Security

Bugs: padlock icon even without SIP-over-TLS, and
built-in trust anchors cannot be viewed, only documented
Privacy: devices phones home
Mitigation:
  • Web → System → WAN → Time Service → NTPServer1: 2.pool.ntp.org (for example)
  • Web → System → Auto Provisioning → ITSP → Method: Disabled
  • Web → System → Auto Provisioning → OBiTalk → ZeroTouch: Off
  • Web → Voice Services → OBiTALK Service → Enable: No
    if you want to use that, change the Transport at least to TLS
Responsible Disclosure: via E-mail
Firmware Update: missing Automation
missing Newsletter

Miscellaneous

Model Range

Power Supply

5 V 3 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.