The Warpath

After discovering that, if left up to Vonage, the D-Link VTA-VD device I just purchased off eBay would be useless, I became determined to get it working.

Turns out, my initial idea of cloning the MAC address from my old Vonage adapter was amateur (at best): while this changes the MAC address that the adapter uses for Ethernet communication, it must still report the old address to Vonage when it’s being provisioned. Long story short, changing the MAC address had no effect whatsoever.

I did, however, discover that the VTAs apparently run an embedded flavor of Linux (cool!) with an SSH daemon installed and running by default (cooler!). Unfortunately, it uses a different account than the web interface (bummer). A glimmer of hope was the instructions for unlocking various SIP devices, include the D-Link VTAs. But I was shutdown yet again: the manufacturers have apparently gotten smarter and started patching up the security holes that people have been hacking into.

Now it’s down to the wire. Wireshark, that is. I used Microsoft’s bundled ICS to become a gateway on my wired NIC, which is attached to the VTA via a cross-over cable. Then I started sniffing traffic. It looks like the VTA now has DNS server addresses hard-coded into the firmware, removing the easy way to rewrite DNS requests. ARP spoofing? But it’s definitely making a request for an XML provisioning file, which I was also able to download. Unfortunately, it’s encrypted.

Maybe this is more trouble than it’s worth.

4 Comments so far

  1. Matt on January 16th, 2008

    If the file weren’t encrypted, you could probably still spoof the server, if you were willing to have some fun with routing tables. Set a machine up on your LAN with that IP and route just that IP over the LAN instead of through your gateway.

    But you still have that encrypted file to deal with.

    Edit: Is the request encrypted, or just the resulting file? I wonder about the body of the request, and whether you can change that?

  2. Matt on January 16th, 2008

    Oh, the non-geek in me just had an idea: Have you tried contacting them to ask that they “fix” it for you? “My old one died, and I’d really hate to have to leave Vonage…”

  3. andrew on January 16th, 2008

    Heh. I did contact them, albeit by email. They gave a line about it still being active on another account and told me to buy one from a retail store. I contacted the eBay seller and asked him to see if they’d deactivate it — he said he would, but I haven’t heard back.

    As far as the encryption goes, it makes either an HTTP or TFTP request to a Vonage server. The file that comes back is encrypted; the request itself is not (I can see all the request details in Wireshark).

    I think tonight I’ll have to setup a Linux machine (I’ve been doing all of this on a Windoze box so far) to get further. Ettercap has a DNS spoofing plugin, or I’ll just add the IP of the HTTP server to the local interface.

  4. A Better Place - Everybody Dance Now on January 17th, 2008

    […] the end, sanity prevails. The eBay seller sent me a message this afternoon saying that Vonage assured him his account would […]

Leave a Reply