VoIP: SIP-over-TLS and sRTP: Escene

Escene allows Open-SIP out of the box. Therefore, you can try VoIP/SIP servers like Digium Asterisk or public VoIP/SIP providers. Escene is also known as Univois. In the past, Escene was also chosen by ALE, Auerswald, and Khomp. I am not sure why a phone with some many obvious defects finds even OEM partners. Auerswald told me they contacted Escene about my findings. Escene told me, they were not contacted. Go figure!

Last tested firmware

0.0.38.01143194
retested in Oct. 2019 with 0.0.38.05283401

Configuration

Password:	admin/22222 Web → Security → Password
HTTPS:	not available, confirmed by the support team
Update:	Web → Maintenance → HTTP Upgrade → Select a File
Trust Anchors:	Web → Security → Trusted Certificates
SIP-URI User:	Web → SIP Account → Basic → Username
SIP-URI Host:	Web → SIP Account → Basic → SIP Server
SIP-over-TLS:	Web → SIP Account → Basic → SIP Transport: TLS Web → SIP Account → Advanced → DNS-SRV: On
SDES-sRTP:	Web → SIP Account → Advanced → Voice encryption: Optional (only for incoming) which is RTP/SAVP

Software Bugs

SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
AES-256 sRTP:	accepted although not supported; resulting crypto tag has no index
DNS-NAPTR:	missing
Session Timers:	broken; SIP UPDATE even if not supported
Audio DiffServ:	RTP is at `0` although Web → Network → Advanced → QoS shows `46`
IP Port Source:	not random on default, 5070 always not the actual port but nothing in the SIP header `Contact` Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead

Security

Bugs:	SDES-sRTP key with reduced entropy (keys observed were hex: 0-9a-f), DNS-SRV redirection disables Hostname Validation, padlock icon even without SIP-over-TLS, missing TLS_ECDHE_[RSA\|ECDSA]_WITH_AES_128_GCM_SHA256, Cipher Suites include RC4, Single-DES, EXPORT (OpenSSL 1.0.1l or older), ECDHE curves with less than 224 bit (OpenSSL 1.0.1; ssl/t1_lib.c:pref_list), and requires root of certificate chain as trust anchor (OpenSSL 1.0.1m or older)
Privacy:	device phones home to tftp://voip.autoprovision.com Mitigation: Web → Maintenance → Auto Provisioning → Auto Provision: On → Software Server URL: empty (the option ‘Off’ does not work) device phones home to EP+
Responsible Disclosure:	no way found
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

Call Reject (UDUB): Web → Settings → Features → Return code when refused: 486
time on display cannot be disabled
- Web → Settings → Time → Time Zone: +1
- Web → Settings → Time → Daylight Savings Time: …
  This should allow timezone changes in the future, even in case of no firmware update.
- Web → Settings → Time → Time Format: 24 Hour
- Web → Settings → Time → Date Format: not compatible with German
Web → Settings → Audio → Select Country: Germany

Model Range

Univois U1, Escene ES280, ES330, ES620, IS710, IS720, IS730, IV720, WS282, WS330, WS620
ALE 8001, ALE 8001G, Auerswald COMfortel 1200 IP (tested), Escene ES290
Univois U3S (tested), U6S, U7S, U7KS
Khomp Linha IPS
SunComm

Power Supply

12 V ?.? A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.