VoIP: SIP-over-TLS and sRTP: VTech

VTech is recognized for their spying toys, successful hacks, and privacy leaks. Today, they still sell DECT phones in many countries. For example, Telekom Deutschland uses them for their Telekom Speedphones. Before VTech bought Snom in Germany, they even had their own VoIP/SIP phone range. Again, several manufacturers re-branded those for example the company ATLINKS via the brand Alcatel. Some of their DECT bases (VSP600, IP2115, and IP2015) do not even support HD Voice although both the bundled handset and the base itself support/offer G.722. By the way, I love this blog entry… Let us have a look at their SIP-DECT base, which survived the Snom takeover.

Last tested firmware

2.10.49
retested in Oct. 2019 with 2.10.52

Configuration

Password:	admin/admin Web → Servicing → Security
HTTPS:	Web → Servicing → Security → Web Server → Enable Secure Browsing
Update:	Web → Servicing → Firmware Update
Trust Anchors:	Web → Servicing → Certificates → Trusted: Base64 Web → Servicing → Certificates → Trusted: Only accept trusted certificates
SIP-URI User:	Web → System → SIP Account → 1 → User Identifier Web → System → SIP Account → 1 → Authentication Name
SIP-URI Host:	Web → System → SIP Account → 1 → SIP Server → Server Address Web → System → SIP Account → 1 → Registration → Server Address
SIP-over-TLS:	Web → System → SIP Account → 1 → Transport: TLS Web → System → SIP Account → 1 → SIP Server Port: 5060 Not 5061, not 0, but 5060 enables DNS-SRV.
SDES-sRTP:	Web → System → SIP Account → 1 → Enable Voice Encryption (SRTP) which is RTP/SAVP

Software Bugs

DNS-NAPTR:	missing
Compact Form:	Session-Expires (x) not understood
Call Hold:	broken; reset of sRTP-ROC, when resume
DiffServ:	in IPv6, SIP and RTP are at `0x00`; in IPv4, phone uses Web → System → SIP Account → 1 → Quality of Service
IPv6:	although user interface suggests differently, not dual-stack but IPv4-only or IPv6-only

Security

Bugs:	ECDHE curves with less than 224 bit (OpenSSL 1.0.1), and requires root of certificate chain as trust anchor (OpenSSL 1.0.1m or older)
Responsible Disclosure:	via E-mail
Firmware Update:	missing Automation Newsletter via E-mail

Miscellaneous

time on display cannot be disabled
- Web → Servicing → Time and Date → User-defined Daylight Savings Time
  In case of no firmware update, it might not handle all future changes because the start/end is only allowed for the x^th week. However, the Web interface claims to support DHCP Option 100.
- Phone → User Settings → Set Date/Time → Format: 24 hour
- Phone → User Settings → Set Date/Time → Format: not compatible with German

Model Range

Snom M200 of the M215 SC package (tested), M100, C520, C620
ATLINKS: Alcatel IP2015, IP2115 (tested), IP2215
ATLINKS: Alcatel Temporis IP100, IP150, IP251G, IP300, IP301G, IP700G, IP701G, IP901G
VTech VDP800, VDP650, VSP600
VTech VSP715, VSP725, VSP726, VSP735, VSP736

Power Supply

5 V 0.8 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.