Jump to content
Vodia PBX forum
Carlos Montemayor

Phantom calls on Yealink Phones

Recommended Posts

Hi,

 

I know this is going to sound weird, but well, it is happening to us. A few days a go, a couple of Yealink phones started to behave strangely. They started to ring, as if there was an incoming call from another extension, and since such extensions do not exist in the domain, they should not happen at all. The calls are not recorded in the call log and they do not show up in the active calls window. If you answer them, there is no audio whatsoever. It is really a problem because during a single working they , there can be from 50 to 100 phantom calls during a single working day. I believe this has nothing to do with the pbx, although the caller ID of the calls appear to be the same as existing extensions in other domains (could be just a coincidence). One of the phones, a T20, stop this weird behavior by stepping it down a couple of firmware versions. The other, a T22, I have yet to find a cure.

 

Has this happen to somebody else?

 

Regards

Share this post


Link to post
Share on other sites

These days it is easy to get paranoid. Are they somehow accessible from the public Internet? Maybe there is a scanner that is causing those calls. We got bashed in the old days for dropping packets not coming from the registrar as it is not RFC compliant; but now in the world we are living in such RFC compliance can hit you hard.

 

I don't think this is a software bug on the phones per se. There must be some traffic hitting the phone. Maybe there is a way to find out with PCAP and port mirroring on the switch they are connected to. If there are so many calls per day it should be easy to find out where it comes from (unless they also spoof the source IP, which is easy on UDP). At least we can see if the packet comes from the PBX.

Share this post


Link to post
Share on other sites

Yep, these aren't calls. Someone is scanning you using sip vicious.

 

This is how I got rid of these calls for good:

 

1. Update the Firmware,

2. Go to Features --> General Information and set Allow IP Call to Disabled,

3. Use the Yealink Configuration Generator Tool and find the option account.1.sip_trust_ctrl. Select it, Set value to 1, save the configuration file and import it to the phone. If you have more accounts on the phone, you need to do this for all the accounts.

 

Hope it helps.

Share this post


Link to post
Share on other sites

This is how I got rid of these calls for good:

 

1. Update the Firmware,

2. Go to Features --> General Information and set Allow IP Call to Disabled,

3. Use the Yealink Configuration Generator Tool and find the option account.1.sip_trust_ctrl. Select it, Set value to 1, save the configuration file and import it to the phone. If you have more accounts on the phone, you need to do this for all the accounts.

 

Is that something that we should include in the yealink provisioning template?

Share this post


Link to post
Share on other sites

Hi,

 

Updating the firmware had already decreased the problem to about 50%

 

Disallowing IP Calls seems to have reduced the problem to zero. (Although it may be too soon to evaluate)

 

I found the Yealink Configuration Tool and also the option account.1.sip_trust_ctr. However, the options are only "disable" and "enable" and therefore cannot set it to "1" (no such option)

Now that I understand that I had a couple of sites under attack, I increased the level of security of the firewall on the sites routers.

 

Thanks for the good advice. Besides the risk, receiving about a hundred phantom calls is a big nuisance. One of the phones (the T20) was in a demo with a potential customer, I figure that I would not be able to close the sale with that behavior

 

Can you elaborate on the option account.1.sip_trust_ctrl ? That was the only piece of advice that I could not implant.

 

Regards and thanks again

Share this post


Link to post
Share on other sites

Hello,

 

My mistake. By 1 I meant Enabled (after enabling it and clicking Add you will see why I got confused).

 

 

Is that something that we should include in the yealink provisioning template?

 

 

From a security perspective sounds right (and not just for Yealink phones. For instance, I have seen Polycom phones with the same issues). But further and more thorough testing is required. I mainly have experience with T2X series and I am not sure if these settings are available in all Yealink phone models. Also note that account.1.sip_trust_ctr wasn't available in previous firmware versions (If I remember correctly it was introduced in version X.72.0.30).

 

By the way: Yealink T20(P) is EoL and according to our suppliers Yealink T22P(P) as well (although still listed as a current model in Yealink's web site).

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×