Polycom VVX 410 - Password resets to default on each reboot

  • 1
  • 4
  • Question
  • Updated 2 years ago
  • Answered
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members. The community moderator provided the following reason for archiving: We have archived this topic as it has either reached a resolution has become inactive, or information contained in this thread is no longer accurate. If you have a related question on this subject, please post a new topic.

We have VVX 410s we purchased from a 3rd party.  Ever since the latest firmware release (UC Software 5.4.2.6722, Updater 5.6.2.5888), the phone alerts if a default admin password is in use.  We can change the password no problem.  When the phone is rebooted, the password returns to the default.  

Has anyone seen this or know why its happening?  Maybe I'm missing something?
Photo of Billy O'Neal

Billy O'Neal

  • 1,310 Points 1k badge 2x thumb

Posted 3 years ago

  • 1
  • 4
Photo of Nathan Malone

Nathan Malone, U.S. Tier 3 Support

  • 4,830 Points 4k badge 2x thumb
Hello Billy,

The password is coming from the configuration file that the phone pulls when it registers to our servers as a VVX 410. As the phone is a 3rd party device the password is set as default every time the phone is rebooted and registers with our servers. The phone looks for and pulls down the most up-to-date config file every time it registers. This is why the password is overwritten.

If we change the phone to an "Other Phone" in the system you would be able to set the password for the phone and it would stay because the phone would no longer pull the configuration file when it registered.

The downside to this is that when you set the phone to an "Other Phone" you lose the ability to do presence and use the softkeys as these features come from the configuration files.
Photo of RC-Installer

RC-Installer, Champion

  • 27,822 Points 20k badge 2x thumb
Nathan, why is the password overwritten?  It is not like that when using a phone purchased directly from Ring Central correct?

Would be nice to know if this will be fixed in the future or not, otherwise recommending the Cisco phones may be the way to go they are Less complicated than the Polycom.

People just want to know if this is something RC is going to fix or lot.  Custom configs to loose functionality is not really an option.
 
Photo of Noah Stahl

Noah Stahl

  • 164 Points 100 badge 2x thumb
I spent some time with support and confirmed that RingCentral configuration is indeed controlling the password on the device, including reverting it to the default upon boot. The current "workaround" is for them to set a unique password on their side, which you'd have to get from them *per phone*. This is obviously impractical for a device base of any nontrivial size.

Aside from that, the answer from support including supervisor is just to comment here and hope that it catches somebody's attention on the product side. There is no effort shown to own the issue and escalate it for resolution.

I'll reiterate that I believe this presents a security risk to RingCentral customers and should be taken seriously. Today, we see plenty of examples of botnets and other security snafus attributable directly to the use of default passwords on network-accessible devices.

The right way to address this is to provide a mechanism for the password to be reliably managed by the customer, either locally or though the service portal. Or, just publicly announce that RingCentral is declining to address this, and allow us to decide what alternatives we might want to pursue.
(Edited)
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
100% agree. RingCentral is leaving the door open to their servers, compromising their own systems along with their customers'. I would imagine it's not that difficult to add a password field in the phone settings page on the Admin portal that can then be passed to/from any configuration file.
Photo of Steven Yaskin

Steven Yaskin

  • 530 Points 500 badge 2x thumb
I actually used to have a LINUX based on premise VOIP PBX system. It was hacked so badly, it forced me to seek a more "reliable" cloud-based solution to avoid building and maintaining my own security. Enter RingCentral, with the premise to do exactly that. Turns out,  RC basic security and user-based features (like "beep on hold reminder", etc.) on non-RC issued devices are not supported. While phone-enabled features is something we can put in the category of "nice to have" (why??) - the security features like default device admin password MUST be addressed. It is unfortunate that not only these security issues are not being addressed, they are not currently being acknowledged, and growing number of user complaints -  being ignored. Lets get more users supporting this thread! 
Photo of GEORGE MKRTCHYAN

GEORGE MKRTCHYAN

  • 744 Points 500 badge 2x thumb
I don't see how bombarding our Account Managers, who by the way, have no idea what we're talking about, is going to be a viable long term solution to this problem. This must be implemented at the core of RingCentral's UCaaS framework. Otherwise, we still have a vulnerable system because even if only 1 account never calls to get this implemented, that account will be the weak link. Also, we'll be overtaxing our Account Managers with unneeded runaround to get us something that they have no clue what it is nor how to provide it to us.

My proposition: Create a password field for each phone in the Admin portal. Allow for templates to apply password for multiple phones at once. Create the password variable as part of RingCentral's autoprovisioning files and other system files. Pass the password value across the platform to allow for saving into phones and configuration files during each and every reboot and update.

With my limited programming knowledge, this is what I came up with. I could be incorrect in my theory...Anyone else have any ideas?

This conversation is no longer open for comments or replies.