Broadvox Direct Security Hole
It seems as though Broadvox Direct has run into another issue, this time in the form of a security hole that exposed the configuration files for approximately 200 customers, according to Voxilla. These files are generally supposed to be encrypted. The problem is, there was a significant portion of the files that were not encrypted, and the information contained therein could have been used to make phone calls on other people’s bills, or receive other people’s phone calls. Obviously, anyone affected by this should check their call logs to ensure no unauthorized calls were made. I checked mine and, as near as I can tell, no unauthorized calls were made on my service, or at least ones that cost me any money.
The problem was posted to Broadband Reports VoIP Forum fairly quickly after discovery and was responded to with equal quickness. Initially, it involved removing access to the unencrypted configuration files. They then reprovisioned all existing customers with new configuration files, presumably changing all the authentication data so that anyone who did download those configuration files would find the data they contained useless. The adapters, which are set to periodically poll the server for a new configuration file, would then download the configuration file and have an updated configuration. As of this evening, my BVD-supplied adapter is downloading a new, fully encrypted configuration file (or at least it is to my eyes).
Jeffery Williams, usually willing to discuss service-related issues, was tight-lipped on this issue. His posting on Broadband Reports was very terse: “While I am not yet prepared to make a statement on this issue I assure you that it is being addressed. I will have more to say on this subject at a later time.” A smart move, IMHO, as it is unclear what the impact of this issue is. I expect a more formal response will occur after an assessment has been done and the workweek is actually underway.
No fraudulent use may have occured as a result of this bug, or there could have been tons. It could have been an honest mistake, or it could have been part of a nefarious plot. Depending on how widely this story gets out (so far, the story has only shown up on Voxilla and Broadband Reports according to news.google.com), it could have an impact on consumer confidence with Broadvox Direct. Or it may not be that big of a deal. Time will tell.
I still have confidence in Broadvox Direct. Thus far, they have done “the right thing” with customers. They addressed this issue with what I consider a ruthless efficiency. Jeff was as upfront as I feel he should be about this issue under the circumstances. Furthermore, this kind of issue has happened once before with the biggest name in the consumer VoIP space — Vonage.
About 8 months ago, I recall running across a program that supposedly brute-forced the encryption key used on the configuration file used by the Cisco ATA-186 supplied by Vonage at that time. The goal was primarily to “unlock” the ATA-186 so that it could be used with Free World Dialup, not to make long distance calls on someone else’s account. There were also some firmware bugs with the ATA-186 that permitted users to essentially “factory reset” a provider-locked unit so it could be used for other users. Cisco and Vonage “quietly” addressed the issue, made the units significantly harder to break into, and everyone moved on with life. Last I checked, Vonage was still going strong with over 120,000 subscribers.
What I’m trying to say is: in context, I don’t view this issue as a huge deal. Security issues happen to all companies, big and small. It’s all in how you handle it, and from what I can see, Broadvox Direct has done a good job so far.