Polycom VVX 410 - Password resets to default on each reboot

  • 1
  • 4
  • Question
  • Updated 2 years ago
  • Answered
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members. The community moderator provided the following reason for archiving: We have archived this topic as it has either reached a resolution has become inactive, or information contained in this thread is no longer accurate. If you have a related question on this subject, please post a new topic.

We have VVX 410s we purchased from a 3rd party.  Ever since the latest firmware release (UC Software 5.4.2.6722, Updater 5.6.2.5888), the phone alerts if a default admin password is in use.  We can change the password no problem.  When the phone is rebooted, the password returns to the default.  

Has anyone seen this or know why its happening?  Maybe I'm missing something?
Photo of Billy O'Neal

Billy O'Neal

  • 1,310 Points 1k badge 2x thumb

Posted 4 years ago

  • 1
  • 4
Photo of Nathan Malone

Nathan Malone, U.S. Tier 3 Support

  • 4,830 Points 4k badge 2x thumb
Hello Billy,

The password is coming from the configuration file that the phone pulls when it registers to our servers as a VVX 410. As the phone is a 3rd party device the password is set as default every time the phone is rebooted and registers with our servers. The phone looks for and pulls down the most up-to-date config file every time it registers. This is why the password is overwritten.

If we change the phone to an "Other Phone" in the system you would be able to set the password for the phone and it would stay because the phone would no longer pull the configuration file when it registered.

The downside to this is that when you set the phone to an "Other Phone" you lose the ability to do presence and use the softkeys as these features come from the configuration files.
Photo of RC-Installer

RC-Installer, Champion

  • 27,822 Points 20k badge 2x thumb
Nathan, why is the password overwritten?  It is not like that when using a phone purchased directly from Ring Central correct?

Would be nice to know if this will be fixed in the future or not, otherwise recommending the Cisco phones may be the way to go they are Less complicated than the Polycom.

People just want to know if this is something RC is going to fix or lot.  Custom configs to loose functionality is not really an option.
 
Photo of Billy O'Neal

Billy O'Neal

  • 1,310 Points 1k badge 2x thumb
That's kind of what I figured.  Thank you!
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
so what is the recommended solution for these types of phones (I have VVX 410) to not overwrite the admin password? It is quiet annoying...
Photo of Mike

Mike, Official Rep

  • 94,760 Points 50k badge 2x thumb
Steven... I guess it boils down to personal preference and if you need presence and other soft-key functionality that Nate mentioned.  I can't promise any changes but you are welcome to submit a feature request here on the Community.

If we change the phone to an "Other Phone" in the system you would be able to set the password for the phone and it would stay because the phone would no longer pull the configuration file when it registered.

The downside to this is that when you set the phone to an "Other Phone" you lose the ability to do presence and use the softkeys as these features come from the configuration files.
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
I agree with Steven. That blinking Warning icon drives all my customers crazy. There has to be a way to resolve this. Feature Request: Either allow phones to have non-default password and not reset after each reboot OR figure out a way to at least disable that warning icon on the phones.

Plus, in regards to security, isn't it better to change the default password on all phones?
Photo of Ottis Compton

Ottis Compton

  • 194 Points 100 badge 2x thumb
I agree, we are in the same scenario.  We are on our fist day live on the ring central system.  We are paying for premium extensions but purchased our phones from a different source than ring central.  Obviously we want to use the preference feature and we shouldn't have to give that up to keep the password we are setting for the phone.
Photo of Brad Baker

Brad Baker

  • 86 Points 75 badge 2x thumb
Us too.  Management couldn't ignore the price difference in buying the phones at half the cost somewhere else.  I don't understand the purpose of broadcasting to the world that the phone has the default password.
Photo of Noah Stahl

Noah Stahl

  • 164 Points 100 badge 2x thumb
We're seeing the same thing with Polycom VVX 411 phones. The responses so far aren't really sufficient -- this is a security issue caused by RingCentral. You have a secure phone, then hook it up to RingCentral's service, and now you have a phone that can potentially be abused by anyone. These are models supported by RingCentral joined to the service using the standard instructions and options. We need RingCentral to support a secure and functional configuration, which means keeping the phone passwords off limits from configuration overwrite.
(Edited)
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
I am trying to fight this request through the ranks at RC but to no avail so far. ANy thoughts on the "hard request"? Perhaps, if we get more people complaining about a potential security breach we can get some attention? 
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
I can't believe this thread has been open for a year now. Steven, maybe it's going to take an actual security breach, instead of a potential breach, to get them to pay attention.
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
Right now RingCentral is growing so fast that it's overlooking some major issues that are staring it in the face. I guess it's going to take an "Equifax" type incident to get them to wake up and tackle the important things first, like security.
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
Let's hope it does not happen. But I tried escalating it to management to no avail. Was promised a fix soon, but it has been a year.
Photo of Noah Stahl

Noah Stahl

  • 164 Points 100 badge 2x thumb
I spent some time with support and confirmed that RingCentral configuration is indeed controlling the password on the device, including reverting it to the default upon boot. The current "workaround" is for them to set a unique password on their side, which you'd have to get from them *per phone*. This is obviously impractical for a device base of any nontrivial size.

Aside from that, the answer from support including supervisor is just to comment here and hope that it catches somebody's attention on the product side. There is no effort shown to own the issue and escalate it for resolution.

I'll reiterate that I believe this presents a security risk to RingCentral customers and should be taken seriously. Today, we see plenty of examples of botnets and other security snafus attributable directly to the use of default passwords on network-accessible devices.

The right way to address this is to provide a mechanism for the password to be reliably managed by the customer, either locally or though the service portal. Or, just publicly announce that RingCentral is declining to address this, and allow us to decide what alternatives we might want to pursue.
(Edited)
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
100% agree. RingCentral is leaving the door open to their servers, compromising their own systems along with their customers'. I would imagine it's not that difficult to add a password field in the phone settings page on the Admin portal that can then be passed to/from any configuration file.
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
I actually used to have a LINUX based on premise VOIP PBX system. It was hacked so badly, it forced me to seek a more "reliable" cloud-based solution to avoid building and maintaining my own security. Enter RingCentral, with the premise to do exactly that. Turns out,  RC basic security and user-based features (like "beep on hold reminder", etc.) on non-RC issued devices are not supported. While phone-enabled features is something we can put in the category of "nice to have" (why??) - the security features like default device admin password MUST be addressed. It is unfortunate that not only these security issues are not being addressed, they are not currently being acknowledged, and growing number of user complaints -  being ignored. Lets get more users supporting this thread! 
Photo of Alan

Alan

  • 70 Points
Whats even worse for me is that I did buy my 410 from RingCentral and it resets to the default polycom password on every reboot!
So I cant even get a RingCentral phone provisioned like RingCentral wants it to avoid this glaring security issue.
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
I know your frustration Alan.

Someone correct me if I'm wrong, but from what I understand, getting a VVX (or any RC supported phone) from RingCentral is no different from getting one from another source. The only difference I see is a printed logo on the phone and a RingCentral logo saved in the phone for the screen. RingCentral pushes out their own firmware and configuration files on any "supported" phone during the auto-provisioning process anyway, so in essence, they provision per their own specs, no matter where you purchased the phone from. So therefore, these issues would be present even on phones that RingCentral sells.

This reminds me of that annoying "disclaimer" sentence every RC tech support reads about not supporting phones unless directly purchased from them, I believe there are 2 reasons why they read that statement, even though the phone is a supported model:

  1. They want us to buy the phones directly from them so they make money on the hardware as well
  2. This is the easiest excuse they can give without any backlash from the customer while at the same time shifting the responsibility away from them, even though it is solely their responsibility to fix these issues.
The problem here for RC is that any technically inclined individual can easily deduce that the firmware and configuration files RC pushes out to the phones during auto-provisioning is independent of where the phone was purchased from, so long as the firmware and configuration are written for that model phone...which is the reason we (at the very least I) are not buying into that non-sense of using a phone that is or isn't purchased from RC.
Photo of Mike

Mike, Official Rep

  • 94,790 Points 50k badge 2x thumb
Official Response
We understand your concern and would like to assist anyone with this issue.  Because the scenarios are different for each user, we'd like to handle this on a case by case basis, so please feel free to contact live support and discuss the solutions below. 

Mike 

If the customer sets the Admin password locally (phone web ui) it will reset after a reboot when connected to RC. The possible solutions are:
-

Custom config : With help from RC support/SE submit a custom config with an Admin password provided by customer IT. The benefit is the Customer IT can still have admin access.

 RC Lock - Lock the Polycom phone with help from RC support that will change the Admin password to a RC generated one. RC canot share the passwd withthe customer so customer IT have no admin access to the phones when connected to RC.
NOTE:  Only manually provisioned phones will maintain the customized password. (does not apply to assisted provisioned devices). 

Contact RingCentral Support
(Edited)
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
Mike - can you confirm that if you upload a custom config - you will lose most basic features on the vvx ? Like presence status and others?
Photo of Mike

Mike, Official Rep

  • 94,790 Points 50k badge 2x thumb
No.. you won't necessarily lose those features. This is something fairly new, but users that want to do this must go through their Account Managers so that we can assist. 
Photo of Chris McFarling

Chris McFarling

  • 220 Points 100 badge 2x thumb
Hi Mike, I'm having this same issue with 3rd party VVX 311 phones. I contacted tech support as well as my account manager who in turn put me in touch with a provisioning tech. I explained ad nauseam that I was trying to contact someone who was familiar with creating a custom config file and referenced this forum post. Unfortunately no one I have talked to has any clue what I'm referring to. The standard answer is we don't do custom config files and to contact Polycom. Do you have any suggestions on how in the world to get in touch with someone who can actually make this happen on the back end?
Photo of Saadet

Saadet, Employee

  • 68,770 Points 50k badge 2x thumb
Hello Chris,

Apologies for this confusion. This is a fairly new feature that we offer and it does make some things possible now. I will reach out to your Account Manager so that they can get you in touch with our Professional Services Department who can discuss this further with you.
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
Saadet - can you also reach out to my account manager, I mean someone who can assist my organization? Is this by request only? Are their qualifying criteria to obtain support for this major security flaw?
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
Thank you for the response (finally we are getting attention).. Can I submit the Custom config? What are the steps required?
Photo of Saadet

Saadet, Employee

  • 68,740 Points 50k badge 2x thumb
Hey Steven, you will want to contact Support or your Account Manager regarding getting a custom config set up. If you don't know who your Account Manager is, email us at community.support@ringcentral.com and we'd be more than happy to find them for you :)
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
No go. Once you do a custom setup - you will lose all presence and other features on the phone. Unacceptable. We need a real solution.
Photo of Mike

Mike, Official Rep

  • 94,760 Points 50k badge 2x thumb
Not necessarily true.. see my post above. This is a new service but anyone who wants to do this must go through their account manager. 

Mike 
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
I contacted my account manager who had no idea what I am talking about. The kicker was that I received an email and a call yesterday inviting me to the RC security conference ;) Needless to say, a public company that 1. exposes their customers at the level of unprotected admin access 2. ignores for years numerous calls and a choir or requests to plug the security hall... does not get to conduct a marketing event promoting the security. Time to make this public? I would like to get this resolved now, before we all start calling CNBC etc.. I am at the last of my patience. I do have a responsibility with my company to protect the security and I will make sure my hardware/software vendors are accountable as well. Mike - please escalate and let me know. 
Photo of Mike

Mike, Official Rep

  • 94,760 Points 50k badge 2x thumb
Steven, someone will be in touch with you soon do discuss this. 

Mike 
Photo of Brad Baker

Brad Baker

  • 86 Points 75 badge 2x thumb
Can someone contact me as well? There are some of us watching this thread looking for solutions as well.
Photo of Saadet

Saadet, Employee

  • 68,740 Points 50k badge 2x thumb
Hello Brad,

I will send your Account Manager an email but I would also suggest that you give them a call. If you don't know who your Account Manager is just let me know and I'll get that information for you :)
Photo of Brad Baker

Brad Baker

  • 86 Points 75 badge 2x thumb
Yes, Please forward to me our Account Manager info.  I have worked with several people at RC, but not sure which would be considered our "Account Manager" per se.
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
I don't see how bombarding our Account Managers, who by the way, have no idea what we're talking about, is going to be a viable long term solution to this problem. This must be implemented at the core of RingCentral's UCaaS framework. Otherwise, we still have a vulnerable system because even if only 1 account never calls to get this implemented, that account will be the weak link. Also, we'll be overtaxing our Account Managers with unneeded runaround to get us something that they have no clue what it is nor how to provide it to us.

My proposition: Create a password field for each phone in the Admin portal. Allow for templates to apply password for multiple phones at once. Create the password variable as part of RingCentral's autoprovisioning files and other system files. Pass the password value across the platform to allow for saving into phones and configuration files during each and every reboot and update.

With my limited programming knowledge, this is what I came up with. I could be incorrect in my theory...Anyone else have any ideas?
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
Brief update: I don't think there is a solution to this security problem just yet from RC. I spoke with the "account manager" and was transferred to the higher level of tech support. When we finally connected the engineer had very little idea about the problem and obviously did not have a solution to this. Then I received an email from him asking me to provide my admin password in plain text in the email.  Mind-boggling. Besides the obvious security protocol violation - I did not think me providing my device admin password like this would help in any meaningful way. I think what they are trying to do is to patch the problem by hard-coding the admin password into the custom config script which then stays on the device. without being overwritten every day. I am not sure if 1. This is a viable long-term solution since I cannot manage the device any longer and the script being sent to the device containing the admin password which is hackable almost as easy as the device without the password (if not easier) 2. Still not sure how this will affect the features on the device: presence and others; I was told repeatedly that ANY custom script, whether saved by me or externally, will disable the presence and other features on the device. Still waiting for the updates and will post here.
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
I was just wrapping up an implementation setup (new network) for a customer who has hosted VoIP with Intermedia. Can anyone guess what I found out????

That's right! Each user can set their own password for their phones in the admin portal. What a shocker!!!

No need for workarounds, "Mickey Mouse" patch jobs and the like. A true solution.

This conversation is no longer open for comments or replies.