________________________________________ From: JOLY, ROBERT (ROBERT) That's a bit of an overstatement. If one does not have direct access to a phone to be monitored then it should be possible put proper barriers in sipXecs to truly prevent unprivileged users from monitoring others. But I agree that as a first step, locking down the GUI is the way to go. _______________________________________________
I would say that there are three levels of sophistication of this sort of attack: - Using the GUI in the ordinary way to subscribe to BLF of someone you shouldn't have BLF for. - Reprogramming your phone's BLF URI (or that of a softphone) - Using a SIP diagnostic tool to construct a subscription directly to the targeted phone(s). What we're trying to stop is the least sophisticated class of attacks. With some more work, we can probably stop class 2, by being more careful in requiring and using credentials. If we can get the phones to require that SUBSCRIBE requests come from the server (or have credentials), then we could also stop class 3. Has there been similar problems with call pickup? If you can hear someone's phone ringing, you can just dial *78xxx and grab the call. Dale _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
