[Asterisk-Users] Vonage ATA-186 password recovery

Scrotus Maximus mrscrotus at yahoo.com
Sat Aug 23 03:51:40 MST 2003 

This message describes the configuration and recovery
process for Cisco ATA-186 adapters provided by Vonage.

"Every Vonage Customer Gets a Cisco Phone Adapter for
Free."  

The unadvertised detail is that this adapter is never
under your control, even after completing the terms of
your customer agreement and ending your relationship
with Vonage.  Rather than pollute landfills with
perfectly good hardware, some ex-customers would like
to recover use of their Cisco ATA and recycle it for
other applications.

TOS RESTRICTION

Note that it is a violation of the Vonage Terms of
Service to tamper with or reset your Cisco ATA while
subscribing:

  1.6 Tampering with the Device

  You agree not to change the electronic serial number
or equipment
  identifier of the Device, or to perform a factory
reset of the Device,
  without express permission from Vonage in each
instance.  Vonage
  reserves the right to terminate your Service should
you tamper with
  the Device, leaving you responsible for the full
month's charges to
  the end of the current term, including without
limitation unbilled
  charges, plus a disconnect fee, all of which
immediately become due
  and payable.

Of course, former Vonage customers that have fulfilled
the terms of their contract, paid all fees, and are no
longer Vonage subscribers are not bound by these Terms
of Service.  This information is intended to help only
those former customers recover the utility of the
otherwise-useless ATA device.


LOCKOUT IMPLEMENTATION

The Cisco ATA provides a number of features to control
access.

First, Vonage disables the HTTP server in the ATA by
setting Bit 7 (Bitmask: 0x00000080) in the OpFlags
parameter.  (IVR Code 323)

Details here:
http://www.cisco.com/univercd/cc/td/doc/product/voice/ata/atarn/186rn214.htm

This makes it impossible to connect to the
configuration web page that is normally available at
http://{ATA IP address}/dev

Also, the "UI Password" is required to access all
configuration parameters in the voice-prompt menu. 
The UI password is an eight-digit number requested
with "PASSWD" by the IVR.

This UI Password is unique to every ATA and changes
with every configuration update from Vonage.  It is
stored in the flash device along with the other
configuration parameters.

Beginning with ATA firmware version 2.16, the UI
Password is also required to perform a Factory Reset. 
Earlier versions of the firmware would allow a Factory
Reset to erase memory (including the password) without
prompting for the password.  An older Vonage ATA that
has not been connected to the network since June 2003
may still allow a factory reset this way.

This is the factory reset procedure:

A) Take the phone off hook.   
   The red button on the top of the ATA-186 will
illuminate.

B) Press the illuminating red button on the ATA and
dial 322873738#. 
   (The numbers spell FACTRESET# on the telephone) 

C) If you hear "P A S S W D", you have firmware 2.16
or newer and can
   NOT perform the reset without the password.

   If the prompt asks you to dial * to save changes,
press * on your
   phone's keypad and hang up the phone.  You either
did not have a UI
   Password set, or have firmware 2.15 or older.


DEFAULT CONFIGURATION

The Vonage ATA configuration uses DHCP to acquire the
IP address for the ATA, but has other services
hardcoded by IP number or address.  It will not use
the DNS, TFTP, or NTP servers provided via DHCP.


CONFIGURATION PATHNAME

By default, Cisco ATA devices will attempt to fetch
two files from the TFTP server for configuration: 
  ata000c30a4f276 (the ATA's MAC address)
  atadefault.cfg  (common default)
These defaults can be overridden with Option 150 in
the DHCP Offer.

Instead, Vonage configures the ATA to fetch a file
named something like:
  bsOWFaqFCa/ata000c30a4f276

There are 10 random characters before the MAC
filename.  This file exists on the Vonage TFTP server
only when needed and is usually Not Found.


ENCODING AND ENCRYPTION

The configuration files are written as text, and then
converted to a more compact binary format by the Cisco
'cfgfmt' tool.

This tool provides an option to encrypt the
configuration binary using Cisco's RC4 implementation.
 The RC4 key is provided on the command line as up-to
32 ASCII characters and repeated to build a 256-bit
RC4 seed value.  Vonage encrypts all configuration
files this way.


KEY ROTATION

Each configuration file is encrypted with the current
RC4 key.  Any file that does not decrypt with the
current RC4 key is discarded by the ATA.

Inside any new file is a parameter titled "EncryptKey"
that is the RC4 key used for subsequent configuration
files.

When Vonage wants to publish a change to a customer
ATA, the requested TFTP file will be posted to their
server.  Instead of the usual "100 NOTIFY: Event
noevent" polling SIP Event, Vonage will immediately
send a "NOTIFY: Event check-sync" from ProvisionServer
to the ATA.

This causes the ATA to immediately TFTP the
(encrypted) file, just as it tried at boot time.  This
time the file exists.

If the ATA is not connected to receive the check-sync,
it will pick up the new config at its next scheduled
poll, or at boot time.

This file will contain only three changes: 
- A new RC4 key
- A new UI Password
- A new TFTP filename

The new filename has a different 10-character prefix
  bsOWFaqFCa/ata000c30a4f276   --->
ssBySDwerb/ata000c30a4f276

The ATA resets after receiving the configuration file.
 At reset, it tries to download the second
configuration filename.  This file too will exist, and
it is encrypted with the new RC4 key.  This file
contains the other requested configuration changes and
keeps the same Key and Password.

When the second file is downloaded, Vonage deletes
BOTH files from the TFTP server.

The ATA will continue to poll for
ssBySDwerb/ata000c30a4f276 until that file is again
present with new data.

ACQUIRING THE CONFIGURATION FILE

The configuration file does not change often, so it is
not frequently available for download.  A subscriber
can trigger a configuration update by changing the
Bandwidth Saver option between 30k and 90k on the
Dashboard Features.  This generates a pair of config
files with changed PrfCodec, TxCodec, and LBRCodec
parameters.

An ethernet sniffer like tcpdump or ethereal can be
used to observe the requested filename from the ATA at
boot time.  If the ATA is blocked from the internet,
any TFTP client can be used to download this file from
the Vonage server before the ATA gets to it.

This configuration file is of interest because it
contains in it the RC4 key used by the NEXT
configuration file and the new UI Password.

This file by itself does NOT contain the current UI
Password, filename, or RC4 key!  It contains the NEXT
passwords.  This file is special only because it is
encrypted with the current RC4 key expected by the
ATA.

If this file is to be useful, it must be passed on to
the ATA so that these settings can be accepted and
loaded into flash.

Immediately after doing so, the ATA will load the
second file update. This file contains configuration
changes, but retains the same UI Password and Key as
the first file.


PREPARATION BEFORE UNSUBSCRIBING

Before unsubscribing from Vonage and completing the
term of your subscription, it would be sensible to
acquire a configuration file that matches the contents
of your ATA.

To obtain the encrypted file, you must cause a
configuration event, make a copy of the file before
the ATA downloads it, then allow the ATA to find and
load the configuration file.

You may allow the ATA to download the second file as
usual, since it does not change the keys.


KEY WEAKNESS

A proper RC4 cipher using a 256-bit key on about 800
bytes of configuration data could be very hard to
decrypt.  The biggest weakness in the Vonage
encryption system is that they do not use this entire
keyspace.  Instead, every file is encrypted with a
six-digit key ranging from 000000 to 999999 decimal. 
This brings the keyspace down from impossibly huge to
quite small.  A brute-force search can be done in
minutes.

Further, since each configuration file starts with the
known plaintext "#ata", only a small portion of the
file actually needs to be decrypted for testing.   In
seconds.

Once the key has been determined, the Cisco 'cfgfmt'
program can be used to decrypt the file and reveal the
entire configuration state.  A new configuration file
can be prepared using the same RC4 key, or the visible
UI Password can be used to reset the device and
configure anew.

It's likely Vonage will expand their RC4 keyspace very
soon, but in the meantime hopefully some ex-customers
can restore their ATA device to useful service.


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

More information about the asterisk-users mailing list