VoIP: SIP-over-TLS and sRTP: Snom

Snom has a long tradition; they started in 1997, and do just SIP. For DECT, they simply re-sell solutions from RTX. Recently, they were bought by VTech and have to re-sell their Single-DECT product now. However, the desk phone series remains Snom. Nevertheless, amount of findings and bugs in their re-sold devices raises the question how they do their internal tests.

Last tested firmware

10.1.39.11
retested in Oct. 2019 with 10.1.42.14
retested in May 2020 with 10.1.51.12
8.9.3.96 (2018 Aug.) for Snom 710
8.9.3.88 (2018 Mar.) for Snom 720, 760

Configuration

Password: Web: not set; Phone: 0000
Web → Advanced → QoS/Security → HTTP Server
Web → Advanced → QoS/Security → Administrator Password
HTTPS: enabled on default
Web → Advanced → Network → Webserver Connection Type
Update: Web → Software Update
You can paste the URL of the latest firmware file directly.
Trust Anchors: firmware 10: uses the list of Mozilla, on default
firmware 8: Web → Certificates → Activate → Custom
The preinstalled certificates take precedence (see bugs below).
SIP-URI User: Web → Identity → Login → Account
SIP-URI Host: Web → Identity → Login → Registrar
SIP-over-TLS: used on default; thanks to DNS-NAPTR
to disable DNS-NAPTR, enter an Outbound Proxy like ‘tel.t-online.de;transport=tcp’
to disable DNS-NAPTR and DNS-SRV, add a port to the Registrar, like ‘tel.t-online.de:5060’
SDES-sRTP: used on default; since firmware 7
Web → Identity → RTP → RTP Encryption
Web → Identity → RTP → RTP/SAVP: Off
which is RTP/AVP with crypto

Software Bugs

SHA-2 Digest: ignores algorithm and picks first; therefore incompatible with Linphone
Audio: opus-nb is disabled on default and has issues…
amrwb is an optional feature and has issues…
aal2-g726-32 is enabled on default but has the wrong endianness
Mitigation: remove it via Web → Identity → RTP
Wi-Fi: no support for WPA Enterprise like PEAPv0/EAP-MSCHAPv2; only WPA Personal (WPA2-PSK) and Open
TLS: expired intermediate certificates block their signed trust anchor. For example in firmware 8, GTE CyberTrust Root is included as an intermediate; whyever. That blocks all chains which end in Baltimore CyberTrust Root.
Mitigation: on your server, remove the intermediate to ‘Baltimore CyberTrust’
DiffServ: in IPv6, both SIP and RTP are at 0
Audio DiffServ: on default, 160
Mitigation: Web → (Setup) Advanced → QoS → RTP Type of Service (TOS/Diffserv): 184

Security

Bugs: DNS-SRV redirection disables Hostname Validation fixed in Nov 2020 with firmware 10.1.64.12 (SAP-4461)
trust anchors are outdated (1024 bit, StartCom, Symantec) and cannot be overruled
HTTPs Web interface asks for a client certificate which fails in Web browsers if you have such a certificate installed, like all Apple Safari users
Mitigation: use a Web browser without having a client certificate installed
firmware 8: Hostname Validation is off
Mitigation: https://phoneIP/settings.htm?check_fqdn_against_server_cert=on
Privacy: SIP REGISTER messages contain private IP (X-Real-IP)
Mitigation: unknown
SIP INVITE messages contain MAC (X-Serialnumber)
Mitigation: unknown
device phones home via HTTP to http://provisioning.snom.com
Mitigation: Web → Advanced → Update → Update Policy: Never update, do not load settings
Responsible Disclosure: via E-mail
Firmware Update: missing Automation
Although the phones are capable of it, Snom themselves do not offer a generic firmware URL, that would enable automatic updates; whyever.
Newsletter via E-mail

Miscellaneous

Model Range

The D710, D715, and D725 are sometimes called just 710, 715, and 725. Snom has a life-cycle and a comparison List. Therefore, the Snom 710, 720, and 760 (tested) were not fixed.

Power Supply

5 V 2 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.