VoIP phones software and firmware very old versions = security risks

  • 1
  • 4
  • Question
  • Updated 2 months ago
  • Answered
It appears that RingCentral is forcing customers to run very old software versions on the their desk phones. 

For example, RC released version 5.6.0 of Polycom VVX in mid 2018 (Polycom actually released it in July 2017) - the latest version is 5.9.2 (April 2019) 

On older Polycom phones (Sound IP) RC version 4.0.9 was released by Polycom in 2016 whereas Polycom's latest release 4.0.14 is from Aug 2018.

It appears this is a common practice for RingCentral provisioned phones.
While certification of new releases is an acceptable practice and some delay is expected - it seems RC is very far behind.

Some of the other UCaaS providers do not force software downgrades and support much newer versions.

Needless to say, that in today's cyber landscape, keeping all devices current is a critical concern. 
Photo of Itai Fisher

Itai Fisher

  • 130 Points 100 badge 2x thumb
  • frustrated

Posted 12 months ago

  • 1
  • 4
Photo of Aaron Lippiatt

Aaron Lippiatt

  • 142 Points 100 badge 2x thumb
I agree! I opened a support case to inquire about Cisco SPA514G and Poly SoundStation IP 7000 phones. They are both on firmwares that are several years behind:
Cisco SPA514G on 7.6.1 (ES_RC01) from Sept 2015, but 7.6.2 SR5 was released in Oct 2018 (not to mention interim updates in between). Same for Polycom, on 4.0.9, but 4.0.14 is available.

They closed my case stating I should put in a feature request here.
Photo of Saadet

Saadet, Employee

  • 69,000 Points 50k badge 2x thumb
Hi Itai and Aaron,

I followed up with our Service Engineers on this topic. Please see their response below:

"Upgrading firmware requires all devices be rebooted and we upgrade all devices at once, so any and all upgrades would require a system-wide reboot of all physical phones to be forced from our servers. In order to limit the interruption for our customers, RingCentral standardizes on major releases with stable, tested firmware versions. If you are in need of a specific feature that is not available in your current release, please contact your account executive to discuss if a custom configuration may be available to upgrade the firmware on your devices."
Photo of Aaron Lippiatt

Aaron Lippiatt

  • 142 Points 100 badge 2x thumb
I went through my account rep and she escalated up to Engineering. Here was the final response:

“We cannot push custom configs for devices other than Poly VVX. Even if they unlocked the devices and manually updated the firmware on them, we'd likely overwrite it back to OUR current version.”

Thus, I don't think RingCentral is ever going to update the firmware on these devices.
Photo of Itai Fisher

Itai Fisher

  • 130 Points 100 badge 2x thumb
So it looks like RC is not downgrading Poly SIP-550s or IP7000 if you upgrade them manually. They work fine with the latest version. In fact, I had a couple of phones that were having issues and upgrading the firmware resolved them.

RC do downgrade VVX line and Yeahlink phones and it can mess up their config in the process so they need to be reset and re provisioned.

I'm going to ask our account manager to see if they can do custom config without touching the firmware on the Yeahlink and get all the VVX phones onto the 5.9.2.. 
Photo of Brian Spargo

Brian Spargo

  • 68 Points
Hi Itai, did you succeed? I want to do the same thing!
Photo of Mary Rose

Mary Rose, Official Rep

  • 3,326 Points 3k badge 2x thumb
Hello Brian!

I suggest that you coordinate with our Technical Support team for configuration concerns. You may open a case and someone will call you regarding it.


Photo of Jake

Jake

  • 92 Points 75 badge 2x thumb
RC has always been lazy about device firmware updates. Same story for 5+ years. All voip carriers are. If it ain't broke, don't fix it and risk interrupting service for all your customers around the world using that device. That being said, there are certainly security risks, feature bugs etc that all of us suffer with because of this laziness. Those people with a relatively small number of phones could try the following (advised for technically advanced individuals only, and try it on one phone first. use at your own risk!)

1. Bring your own device and provision it to RC
2. Log in to the phone admin web UI and note down all the settings, e.g. sip proxy server, username, auth id etc. Note you may need to contact RC support to get the admin password because they have a nasty habit of locking devices YOU OWN, and brought yourself, with a password they don't put in the RC admin portal as far as I know! Truly ridiculous.
3. Remove the phone from your RC account.
4. Factory reset the phone. Then do a firmware upgrade on your own. 
5. Go back to RC account, add a generic/unsupported sip device to get the sip credentials since likely you couldn't see them in step 2 (most phones obscure passwords as asterisks ***)
6. Finally, manually go through the phone web UI and re-input all the settings including the sip user id and password. Make sure NOT to input the profile rule and leave provisioning disabled, otherwise it will just resync with RC's provisioning server again and downgrade itself.

This is truly a pain in the rear. But the odds of RC bothering to update firmware when many users don't know what features they're missing and vulnerabilities their equipment has are low. 
(Edited)