VoIP: SIP-over-TLS and sRTP: Htek

Htek is/was re-labeled and sold by many others like Sangoma Canada and Easybell Germany. If the firmware-upgrade file starts with ‘fw’ and has the file extension ‘rom’, it might be a Htek.

Last tested firmware

2.0.4.6.15
retested in May 2020 with 2.0.4.6.49

Configuration

Password:	admin/admin Web → Management → Password → User Type: admin
HTTPS:	enabled on default Web → Network → Advanced → Web Server → Type
Update:	Web → Management → Upgrade → ROM Firmware Upgrade or Web → Management → Auto Provisioning → AUTO Upgrade: Yes (default value) Web → Management → Auto Provisioning → Firmware Server Path: http://fm.htek.com/fm (default value) Web → Management → Auto Provisioning → Upgrade Check Mode: Always Check For New Firmware (default value)
Trust Anchors:	Web → Management → Trusted CA: Base64 Web → Management → Trusted CA → Only Accept Trusted Certificates: On Web → Management → Trusted CA → Common Name Validation: On Web → Management → Trusted CA → Trusted Certificates: Custom Certificates Bug: The filename may not be longer than 32 characters; otherwise, the certificate file is not imported. Bug: Trust Anchors without Common Name (CN) are only deletable by resetting the whole phone.
SIP-URI User:	Web → Account → 1 → Profile: 1 → SIP User ID Web → Account → 1 → Profile: 1 → Authenticate ID Web → Account → 1 → Profile: 1 → Use Random Port: Yes
SIP-URI Host:	Web → Profile → 1 → Primary SIP Server Web → Profile → 1 → NAT Traversal: No
SIP-over-TLS:	Web → Profile → 1 → SIP Transport: TLS or Web → Profile → 1 → DNS Mode: NAPTR/SRV
SDES-sRTP:	Web → Profile → Advanced → 1 → SRTP Mode: SRTP enabled but not required which is RTP/AVP with crypto

Software Bugs

SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
Audio:	Opus Codec must be the first offer by a caller; otherwise, Htek answers with no media type. Mitigation: unknown because the option to disable Opus Codec in only for Htek as caller
SDES-sRTP:	~~crypto tag is zero …~~ fixed with 2.0.4.6.49
Session Timers:	broken; reset of sRTP-ROC, when re-INVITE
Compact Form:	Session-Expires (x) not understood
Audio DiffServ:	RTP is at `0` although Web → Network → Advanced → Voice QoS shows `46`

Security

Bugs:	SDES-sRTP key with reduced entropy (keys observed were hex: 0-9a-f), padlock icon even without authenticated transport, missing TLS_ECDHE_[RSA\|ECDSA]_WITH_AES_128_GCM_SHA256, RSA+MD5 as Signature Algorithm (CVE-2015-7575), and requires root of certificate chain as trust anchor
Privacy:	device phones home to https://rps.htek.com Mitigation: Web → Management → Auto Provisioning → Zero Active: No
Responsible Disclosure:	no way found although they have a ticketing system; went for Sangoma (no success either)
Firmware Update:	missing Newsletter

Miscellaneous

Phone → Menu → Settings → Advanced → Network → Webserver Type: Off
Call Reject (UDUB): Web → Advanced → 1 → Refuse-Return-Code: 486 (default value)
time on display cannot be disabled
- Web → Setting → Date & Time → Daylight Saving Time
  This should allow timezone changes in the future, even in case of no firmware update.
- Phone → Menu → Settings → Basic → Time & Date Format → Clock: 24 Hour
- Phone → Menu → Settings → Basic → Time & Date Format → Date Format: not compatible with German
Web → Settings → Device → Audio → Tone country: Germany

Model Range

Sangoma s206, s305, s406, s505, s705
UC921G, UC921, UC902S, UC926E, UC926, UC924E, UC924, UC923, UC903, UC912E, UC912G, UC912, UC902 (tested)
Sangoma s205, s300, s400, s405, s500, s700
UC862, UC860P, UC842, UC840P, UC806T, UC804T, UC803T, UC802T

They have a life-cycle and comparison list.

Power Supply

5 V 1.2 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.