WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT955 - Bug and Security Flaw in Call Utilities

0 votes
367 views 3 comments
by anonymous

Hi,

I want to open a garage door via call-in, so I set up the call utilities. I set up one call route:

I had four phones to test. I called from phone A (the allowed number), the relay switched and the garage door opened. Then I called from phone B and the door opened, too! WTF?

So I did some testing and found the following bug and security flaw:

I rebooted the router, logged into it via SSH and ran "logread -f" so that I could see what happened.

  1. I called from the allowed phone A and the number from phone A was in the log - correct!
  2. I called from phone B and the number from phone A was in the log - FAIL!
  3. I called from phone C and the number from phone B was in the log - FAIL!
  4. I called from phone D and the number from phone C was in the log - FAIL!
  5. I called from phone A and the number from phone D was in the log - FAIL!

The first call after a reboot is correct every time. After that the router detects the number from before every time you call it. This is a security problem because if you know this, you can open the garage (or do whatever the router does with this function) even if you don't have the correct number. You just have to call it after it has been opened before, because the router recognizes your call as the call before.

What can I do here? Can somebody test and confirm this as a bug? Any help would be greatly appreciated!

Thanks in advance!

Best regards,

Rex

1 Answer

0 votes
by anonymous
Hello,

I just tested your configuration myself and could not reproduce the issue. Once I called from one number, the logread showed the correct number, and when I called from another phone, it showed the correct number too. I suggest to reinstall your router firmware version, restore your device to the factory default configuration and try again. If the issue persists. Please send all logread screenshots and we will try to investigate further.

Regards
by anonymous
Hi,

I did reinstall the firmware several times and restored it to factory defaults, thats's not the problem. Other suggestions?

Thanks in advance,

Rex
by anonymous
Could you send the logs output for me via private message?
by anonymous
Hi,

I made several more tests. Most of the time it's blazing fast. I call the number from my phone and the RUT955 answers it even before I hear a ring tone, everytime with the wrong number respectively with the number before.

BUT... sometimes it takes a few seconds longer to answer, and THEN IT WORKS CORRECT! So I assume this is sort of a timing error. Because in the logs you can see

user.info Messaged[7539]: Start from new event "Call" "+49xxxxxxxxxx is calling"

I assume you are getting notified of a new call by the LTE-modem. I noticed it has an older firmware version. Maybe it's a bug in the modem firmware, or you could have a timing issue in your firmware.

What logs should I send you? Or do you mean a troubleshoot file?

Rex