VoIP: SIP-over-TLS and sRTP: Huawei

Huawei also offers VoIP/SIP phones (Enterprise Communications → Endpoints → eSpace Desktop), which can be used with Digium Asterisk. Although reported with two different support channels, the firmware archive is not ZIP, as the file extension ‘.zip’ indicates, but RAR. Go figure!

Last tested firmware

V200R003C30SPCm00 retested in Oct. 2019 with m10
At the top, select ‘All’ versions, ignore that icon ‘Recommended’ and go for the one with the latest publication date because that Webpage implies Huawei would have several maintained branches. However, all of my security findings were resolved only in the latest branch/version.

Configuration

Password:	admin/admin123 Web → Advanced → Change Admin Password
HTTPS:	enabled out of the box Web → Advanced → Network → (Network Security) WEB: HTTPS
Update:	Web → Advanced → Upgrade → Manual You have to select the ‘.bin’ file within the downloaded archive. Although the file extension implies a ZIP archive, the latest versions are RAR archives.
Trust Anchors:	Web → Advanced → Certificate → (Import Local Certificate) Root Certificate: Base64 (filename must end on .pem) Web → Advanced → Others → (TLS Authentication) SIP TLS: Enable Web → Advanced → Network → (Network Security) TLS Encryption Mode: Secure (default value; otherwise you end-up with a working anonymous Cipher Suite)
SIP-URI User:	Web → Advanced → Account → Add Account → Account Web → Advanced → Account → Edit Account → User Name
SIP-URI Host:	Web → Advanced → Account → Edit Account → (SIP Server) Server 1 Web → Advanced → Server → Network Environment: Others
SIP-over-TLS:	Web → Advanced → Account → Edit Account → SIP Transport: TLS
SDES-sRTP:	Web → Advanced → Network → (Network Security) SRTP: Optional which is RTP/SAVP + RTP/AVP

Software Bugs

SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
DNS-SRV:	uses _sip._tls instead of _sips._tcp
DNS-NAPTR:	missing
Audio:	AMR-WB octet-aligned mode is accepted but only bandwidth-efficient mode supported Mitigation: Web → Advanced → Media → (Voice Codec Priority) G.722.2: Disable
DiffServ:	not enabled on default Mitigation: Web → Advanced → Network → DSCP: Enable → SIP: `40`
IP Port Source:	not the actual port but the port 5060 in the SIP headers `Via` and `Contact` Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead

Security

Bugs:	missing TLS_ECDHE_[RSA\|ECDSA]_WITH_AES_128_GCM_SHA256, RSA+MD5 as Signature Algorithm (CVE-2015-7575), and requires root of certificate chain as trust anchor, ~~SDES-sRTP key with reduced entropy (keys observed were ASCII)~~ fixed, ~~DNS-SRV redirection disables Hostname Validation~~ fixed in Jun. 2019 with firmware m10, ~~padlock icon even without SIP-over-TLS~~ fixed
Privacy:	device phones home to cloudecdm.huaweicloud.com Web → TR069 should disable it but did not in my tests.
Responsible Disclosure:	via PSIRT team
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

Call Reject (UDUB): Web → Advanced → SIP Signaling → Signaling Returned Upon Call Rejection: 486 (default value)
time on display cannot be disabled
- Web → System → Date and Time
  Might break in the future. Then, you have to update the time manually.
- Web → System → Date and Time → Time Format: 24-Hour
- Web → System → Date and Time → Date Format: DD.MM.YYYY

Model Range

Huawei eSpace 7950 (tested)
Huawei eSpace 7910

Power Supply

5 V 2 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.