atcomsystems.ca/forum Forums TDM Business Telephone Systems Avaya - Lucent Telephones & Systems Partner Mail VS security / hacking - how to prevent?!

Hi, I just set up a Partner ACS 2.0 / Partner Mail VS 4.1 system. Everything's working great, but within 24 hours of setup I heard from the receptionist at the office that she can't log in to P Mail VS to update the auto-attendant greeting.

At first I thought I had written the instructions wrong, but it turns out that the admin password had actually been changed.. I did some reading on the net and was able to get in and reset the admin password, but.. UHHH, isn't this a HUGE problem?

I mean someone can get in and reset the voicemail system to defaults, taking all mailboxes & saved messages with it, in about 30 seconds if they know what they're doing. That could be disastrous for the organization I'm servicing.

They can't afford to upgrade to Partner Messaging; are there any kludges or external solutions to this problem, like putting a touch-tone interpreter on the CO lines and intercepting any sequence that starts with 99# ? I don't care if I have to completely disable external / off-site VM administration; I don't want the VM system to be hacked and messed with or reset.

Thanks for any remarks / tips on this glaring issue. Really idiotic of Avaya/Lucent to have put the dumb backdoor in there in the first place.

Really idiotic of Avaya/Lucent to have put the dumb backdoor in there in the first place.

Well, there has to be a backdoor to get into the system when the admin pass is not known. The Partner Messaging works the same way only those backdoors are not as well known YET. Don't blame Avaya, blame the internet. This is a perfect example of why we will not give out passwords here but will offer to reset your system for you.

As for your situation, can you think of anybody who would want to maliciously change the admin password? Sounds to me like it was done by someone in your office who thought it should be changed or by mistake. This is a new system. Check around, it's always the case that no one will own up to it but I wouldn't suspect a hacker.

-Hal

Hal has hit the nail right on the head, other sites and boards freely post passwords which is the WRONG thing to let happen and that is the problem not the equipment.

Example, saw the password string to default a PC mail the other day on a site (won't say which one but it wasn't this one) Any hacker or mad employee had access to it and could really do some damage with it. Not good.

There's no one else in the office even remotely capable of logging in to the voicemail admin account (i.e. they simply don't know how.) Also there are only 5 people in the office; I know them each personally.

The whole "protect the magic codes, don't put them on the Internet!" attitude is a kindergarten, ostrich-head-in-the-sand approach to security known as "Security through Obscurity." It doesn't works when it costs no one a red cent to freely post & copy the "key under the doormat" to a system. (See: en.wikipedia.org/wiki/Security_through_obscurity )

I know you all aren't the programmers of the system, but there's no excuse for putting such blatant back doors into any important system, none except sheer laziness. It should not be possible to reset the system password withou A) being physically on-site with the equipment or B) knowing some piece of unique information such as the system's serial number.

I strongly encourage you to shout at your telecom equipment makers about what a... I can't even find the words, it's so third-grade. What a stupid practice this is.

(P.S. I am not ranting about DEFAULT passwords, I am ranting about UNCLOSEABLE BACK DOORS written into systems.)

To start off with who did you purchase your equip. through?

The key to any telecom equip is getting a good vendor that will take care of you and your equip..

Telecom equip isn't something you go to best buy or e-bay and pick-up if you think anything about your company.

You communication to the outside world should be done by someone who knows what they are doing and not joe blow that does that on the side.

Second you may want to finsh your profile in order to get much help here.

Thanks,

It doesn't make sense for a hacker to just change the admin password and leave everything else alone, something else is going on here. The backdoor password was never a problem until the internet and people started posting it, you will find most all system have a back door to them.

To tell the truth you are the first person I have ever heard of to have this problem, and I have been selling Partner systems since they came out. So I don't think this is the big security issue you make it although I'm sure it happens.

People who own Avaya systems are supposed to have a relationship with a dealer who would handle such things a lost admin password and remote administration. There would be no reason for the customer to need the backdoor or even know one existed. Dealers do not divulge such information anyway.

Enter the internet. Buyers think they are getting a slick deal but there is no dealer that they can turn to and tech support is almost non existant or incompetant from gray market sellers. So not only is there a desire to know by the end user but now the information gets freely distributed when it is learned.

So basically by buying off the internet you have screwed yourselves on the security issue.


-Hal

Could not have said it better myself Hal!

:bow: :thumb:

Post retracted.

A brief follow-up to Hal:

Thanks for jumping to the wrong conclusions. I didn't buy the system off the Internet. It was donated to the non-profit organization I'm assisting (after it was decommissioned from another company.)

That non-profit happens not to be able to afford what are I'm sure your quite expensive service rates.

Again, this query has NOTHING to do with whether I do or don't have a service provider; clearly from all that I have read on the internet there simply ARE NO SOLUTIONS to the gaping, intentional security hole, and I find it unlikely that if I were to purchase service from you that I would learn different.

Here, I'll put my money where my mouth is. If someone here has knowledge of the system that would let me configure it such that it was NOT VULNERABLE to outside callers using the standard (very well known, try google) Partner VS 4.1 backdoor admin password to get into the system, I will gladly PAY you $100.00 by PayPal as soon as I verify that your fix, whatever it is, works.

(This offer applies only to the stock system as it is, I'm not paying someone $100 to be told, "Upgrade to Partner Messaging!" or "buy 4 of these gadgets to put on your 4 CO Lines!" If no one can come forward with an answer on my terms I'll consider it conclusive proof that there is no solution and that all that any of you can do is blow smoke about the warm happy feelings that come from an expensive service contract -- meanwhile not having any actual improvement of the disgustingly bad security of the system.)

Thanks.

Quoting Hal:
>People who own Avaya systems are supposed to have >a relationship with a dealer who would handle >such things a lost admin password and remote >administration. There would be no reason for the >customer to need the backdoor or even know one >existed. Dealers do not divulge such information >anyway.

Hmm, that's interesting, is there actually a legal clause in the sales contract that says, "In order to own or use this physical hardware & software, you MUST have a contract with a dealer for support and service"? Are there enforceable legal penalties against private acquistion and use of Avaya/Lucent phone systems? If not, your remarks are just wishful thinking.

----

>Enter the internet. Buyers think they are getting >a slick deal but there is no dealer that they can >turn to and tech support is almost non existant >or incompetant from gray market sellers. So not >only is there a desire to know by the end user >but now the information gets freely distributed >when it is learned.

-----
This is a fact of life called "change" (i.e. the Internet and its availability of all types of easily searchable information) and is no excuse for piss-poor security. Lucent/Avaya ought to have anticipated this a decade or more ago -- the Internet was sufficiently widespread even in 1995 for this development (distribution of backdoors) to have been expected.

>>So basically by buying off the internet you have >>screwed yourselves on the security issue.

That's not a fair remark. You're saying because *I* personally got a donated system from another end-user that I am responsible for the system's security problems? Silly. Think about it. How many people does it take to spoil the secret of the Partner VS backdoor? How many, Hal? One person.

Don't lump together the hundreds, probably thousands of other non-dealer system installers and end-user admins with the one (or few) people in YOUR industry who decided to divulge the passwords.

Again, the entire problem could have been avoided with even the slightest forethought by Avaya.

What stinks, generally, about Telecom providers is not your prices, per se, but the general attitude of condescension toward your end-users. The fact that your business depends on a small amount of private and arbitrary information (such as back door passwords) makes it understandable that you would resort to "Well it shouldn't be that way!" as an excuse for covering over poor security.

Again, the entire problem could have been avoided with even the slightest forethought by Avaya.

Actually I'm sure it was given forethought. Avaya is in the business of selling product and making it easy to support the customers who buy it. What happens to old equipment after it has left the original owner is of little concern.

If this is such a big issue to you get a Partner Messaging r7.0. That password is not in general circulation.

Why is it that the people who pay little or nothing are always the ones to complain the loudest?

-Hal

sound like a computer guy. hey anachron rj11's fit in rj45's

As I said, this system is installed at a non-profit organization that can't afford to upgrade to Partner Messaging 7, period. And "the password is not in general circulation?" HELLO? How long would you guess before it will be?

There is simply no reason for all the dumb "oh don't post the password on the internet!" Please realize what an awfully stupid situation that is. There is no reason, at all, that the backdoor password for each unit cannot be easily tied to the SERIAL NUMBER of the unit (or the software license key, if it's software-only.)

As for "what happens when the equipment leaves the original owner," again, that's just another jab at organizations who don't happen to be able to afford brand-new Avaya equipment and support.
If I had purchased this system brand new for $5,000 from you, plus a support contract from here to infinity including afternoon tea served daily, I would still be pissed about this stupid backdoor.

I'll increase my offer to $250.00 for anyone who can give me instructions for securing my stock Partner Mail VS 4.1 in such a way that the standard backdoor is disabled, permanently. (No additional hardware allowed, and no dangerous flashing with custom non-factory firmware or anything of that type.)

As for RJ11's fitting in RJ45's, yeah, they do, but they also will damage the RJ45 very quickly if that's done more than a few times. Don't do it.

Three county fairs and a goat rope and I ain't heard nothin like that!!!!!!!!!!!!! :rofl:

anachron I feel for you and wish I could offer advise. I agree with your comments on the security, and you are correct with the RJ45-RJ11, they will damage the pins. Not sure at what point this board decided to stop posting passwords, but it has not been very long. So don't let the high and mighty attitudes some have here turn you off. On the other hand, you need to realize that by getting old equipment, you are subject to bugs and other issues that newer equipment resolves.

Ya know what? Except for the arrogance, anachron's right! The older Partner Mails could have their password reset, but you needed the serial number and you had to cycle the power to do it. You run into problems when the hard drive is replaced, but the serial number is not. Not likely that a "hacker" (and I prefer the old school definition of hacker, it's where I started) is going to pull that one off anomyously.

Now, I love being able to dial into a customer site, get into programming, find and fix a problem for them. But I would be willing to not have backdoor passwords if I could go on site and reset it there.

However, rocks are hard and water is wet. The p/w's are out there, so if you find it an unacceptable security risk, just don't use it.

The practice of not posting passwords on this board have been in place forever, as for the high and mighty we have always offered to dial in and reset VM's so I don't know where you got that from. I grant you passwords have been posted on the board but we try to catch and delete off the open board.

That non-profit happens not to be able to afford what are I'm sure your quite expensive service rates.

You are arguing against yourself there. If there were no backdoor passwords we would have to pay a visit to the site and charge for a service call.

The reason we charge what we do is because WE don't want to become a non-profit. Geeze, then we couldn't afford a new voice messaging system. :toothy:

-Hal

not trying to start anything here, but you DTMF have a post giving someone a backdoor password to a system. They were not even a tech.(If you wish I can email you the link, no need to draw attention to it.) Not complaining cause I ended up needing it.

O - I believe it. I'm as guilty as the next guy but I try to watch it. Shoot me that mail so I can get rid of it, with over 5,000 posts Im sure I'll never find it. I found one the other day that was about 3 years old so I know I'm just as guilty as anyone else.


Somebody, please please fire me! :shrug:

I once posted a backdoor password on Usenet. Some guy ripped me a new one, telling me to consider how much damage I had done, letting it out, and that I should cancel my post with my News provider, etc. etc.,

Well, he had a valid point. It was stupid of me to post it. So I canceled it with my news provider (which probably doesn't get most of them off of the news servers), I went to Google and went through a procedure to remove it, which they did.

The funny part of the whole saga is that the guy that ripped me quoted my post in whole, revealing the p/w again, and when that was pointed out to him, he didn't do anything about it himself!!

So we all need to be vigiliant about posting and removing posts that contain passwords.

It seems this post has gotten off subject a bit. A guy needs help with his voice mail. Are you sure your system is getting hacked, and it is not crashing and defaulting? You say it happens pretty quick... has anyone monitored call trafic in to see if someone is playing in the mail? A digit grabber is a great little device you can hook up to suspected lines and see what the caller is dialing. You can block calls, monitor calls, ask for the phone companies help, etc... I suspect you have a bad voice mail before a hacker. Just my 2 cents.

It seems this post has gotten off subject a bit. A guy needs help with his voice mail. Are you sure your system is getting hacked...

It was suggested early on that it would be unusual for this to be a hack. That bit of logic was dismissed in favor of the rant that continued on.

As you say there are ways to track this problem down (if it really was a problem)... but then what do we know.

-Hal

Easy fix don't allow voicemail to answer, send all voicemail traffic manually and get a answering machine for after hour traffic. Still, this isn't bulletproof. If your looking for better security then your current equipment can provide your out of luck. I suggest for future insight that you check into the equipment that has been donated before you install it. It definitly is worth a service call to find out exactly what you are getting yourself into. But finger pointing and blame shouldn't bee done here. Give AVAYA a call and express your rage to them.

I love these type posts. I really like tincanphoneman's avatar too. But as I've said many times a phone mans advice is far and above the most valuable asset he has for his customers. I tend to agree that "hacking" has occured. I think you had a power issue that defaulted your password. Now, for the issue of a backdoor. The system has one cause that's the way Avaya wants it and I don't own enough stock in the company to BEECH about it. I do however recommend other systems when it comes to my customers. I'm not knockin AVAYA here, but if ya look at they don't like to be in the business of selling phone equipment anyway. Do ya remember the replaced Lucent logo. They changed it because everyone was telling the joke of why they had that logo. Reason, because that was what your butt ***** looked like when they got thru with you.
That should give this post a whole new run of life. I'll be watching.......

Everthing has a back door. Dont you think microsoft has a way to see everything on your computer/server at any given time? And give avaya some credit for actually addressing the problem. The backdoor your talking about is only on the older systems. The new ones dont come like that and if you really want to address your problem I have a release 6 Merlin Legend with a 007 MLM (which cant be hacked without serial number)voice mail if you want to trade I will gadly do so if you pay the shipping.

I wanna know when this will be made into a full length feature film

lol

Avaya is not the only manufacture that has security holes-hell even our government has them. If there were no holes there would be no hackers. Micro$oft is the worst by far and now we have just come accepted it as normal. But Symantic loves it

Micro$oft is the worst by far and now we have just come accepted it as normal.

You got that right!

If you are worried about a backdoor password and Avaya take a look at this link-

https://membrane.com/security/secure/Microsoft_Is_Unscrupulous.html

Microsoft makes Avaya look like amateurs.

-Hal

I have been working on Avaya systems for 15 years. Now I will agree, some of the resets are too accessible, but that is a price for convienence more than anything. I don't install Avaya voice mail products anymore, unless specifically requested. I can say, I have NEVER personally seen a Partner Mail hacked, especially one that was "hacked" and nothing changed. There is just nothing for a hacker to gain but a few voice mails. It is not like they can download music, spy on you, etc... I would have to agree with the previous poster about someone internal changing the password. If your not sure, download a free trial of Tapit call accounting software and monitor the traffic. One of the reasons that voice mails are not subject to hacking is the fact that everything must be "hacked" by hand. Unlike most computer hackers, who run some type of hacking program, you literally must sit at a telephone and dial into a system to do damage. Becomes too time consuming to do it. The only real "hackers" I have come across are current and former disgruntled employees with access to passwords and procedures.

Dunno how old this topic is, but I personally am grateful such a backdoor exists. We just picked up a Partner VS as part of a payment for moving a system (the partner system was left behind by previous tennants), and the admin password was changed. I was able to get the backdoor and put the password back to default so that I could program the system.

If you can't program it, the system is useless...

Stupid question...is the R7 password different (send me the answer via PM if you're able...)

Message 1: posted November 15, 2005 12:16 AM

Yes the R7 has a different backdoor password, which is closely guarded. I don't personally give it out. It can be reset remotely, usually for a charge, unless you are an Avaya Business Partner, contact your supplier.

First time I needed an Avaya (AT&T then) backdoor password (before this board was up) we had their tech support call in and we just put a digit grabber on the line, then we read the 4 digit code back to the support guy after he dialed into the system. He was silent for over 30 seconds on his end! We laughed for weeks. And we DO hold these confidential.

That's cool...

We are both a vendor and a business partner, so if I ever need to find it out I can do so...

To be honest, we rarely install the Partner messenger system anymore. If a customer needs those kinds of features, then we usually point them to an Intertel Axxess.

I have a not for profit company that i volunteer for. I set them up a Partner Mail system on an ACS. They need to change their main menu message, and cannot find the mailbox # or password that i wrote down for them.
it has been over a year, and i dont remember it either.

can anyone here help?

they are not for profit and can't really afford the $106 that avaya is charging.

I suppose they can pay something if nobody is willing to donate the few minutes it takes to do the reset, as long as it isnt a lot.

Thanks
ian

ian, please create this as a new topic rather than piggy-backing off of an old one. People will help out much faster that way. Also, please complete your profile so we know who we are helping. Thanks.