7141 questions

8568 answers

13830 comments

10608 members

0 votes
143 views 3 comments
by

Hi,

I want to open a garage door via call-in, so I set up the call utilities. I set up one call route:

I had four phones to test. I called from phone A (the allowed number), the relay switched and the garage door opened. Then I called from phone B and the door opened, too! WTF?

So I did some testing and found the following bug and security flaw:

I rebooted the router, logged into it via SSH and ran "logread -f" so that I could see what happened.

  1. I called from the allowed phone A and the number from phone A was in the log - correct!
  2. I called from phone B and the number from phone A was in the log - FAIL!
  3. I called from phone C and the number from phone B was in the log - FAIL!
  4. I called from phone D and the number from phone C was in the log - FAIL!
  5. I called from phone A and the number from phone D was in the log - FAIL!

The first call after a reboot is correct every time. After that the router detects the number from before every time you call it. This is a security problem because if you know this, you can open the garage (or do whatever the router does with this function) even if you don't have the correct number. You just have to call it after it has been opened before, because the router recognizes your call as the call before.

What can I do here? Can somebody test and confirm this as a bug? Any help would be greatly appreciated!

Thanks in advance!

Best regards,

Rex

1 Answer

0 votes
by
Hello,

I just tested your configuration myself and could not reproduce the issue. Once I called from one number, the logread showed the correct number, and when I called from another phone, it showed the correct number too. I suggest to reinstall your router firmware version, restore your device to the factory default configuration and try again. If the issue persists. Please send all logread screenshots and we will try to investigate further.

Regards
by
Hi,

I did reinstall the firmware several times and restored it to factory defaults, thats's not the problem. Other suggestions?

Thanks in advance,

Rex
by
Could you send the logs output for me via private message?
by
Hi,

I made several more tests. Most of the time it's blazing fast. I call the number from my phone and the RUT955 answers it even before I hear a ring tone, everytime with the wrong number respectively with the number before.

BUT... sometimes it takes a few seconds longer to answer, and THEN IT WORKS CORRECT! So I assume this is sort of a timing error. Because in the logs you can see

user.info Messaged[7539]: Start from new event "Call" "+49xxxxxxxxxx is calling"

I assume you are getting notified of a new call by the LTE-modem. I noticed it has an older firmware version. Maybe it's a bug in the modem firmware, or you could have a timing issue in your firmware.

What logs should I send you? Or do you mean a troubleshoot file?

Rex