Device Unlock Settings

Links

> đź’ˇ NOTE: This documentation refers to the Monster UI implementation


Overview: About Phone “Locking”

Attacks on VoIP phone networks have steadily increased in recent years.  Hacking efforts such as scanning, brute-force hacking, or attempts to steal SIP credentials or make fraudulent calls can be disruptive at a minimum  and/or — worse — breach your company’s private data.

To ensure a phone with a 2600Hz provided phone number is initially secure when first provisioned and remains secure while it is part of your account,  our Provisioner application monitors IP activity to/from the phone and sets protection mechanisms to keep them safe.  If Provisioner encounters one of triggers outlined below,  it will automatically “lock” the phone — meaning it will block the phone from provisioning and it will no longer be connected.

Events that can trigger a phone to lock

Provisioner will automatically lock a phone if it encounters any of the behavior outlined below:

When first provisioning phones

  • When you successfully provision a phone for the first time (from a factory reset state) and you move it to a different network where its IP address will change.
  • If you have created a device in KAZOO (either in SmartPBX or Callflows) more than 1 week before you provision it, the phone will be locked out. This means if you have a phone you want to send to your customer and create it as a device in KAZOO before you ship it, you will need to follow the unlock procedures when they receive it.

Once your phone is provisioned, if

  • You move a phone from your office desk to your home environment, or anywhere that the WAN IP address is not the same as your existing location.
  • Within your account, a phone has been blocked by 2600Hz security system due to suspicious activity.
  • Your phone is not a new phone but was registered in your account.
  • Your internet service uses “dynamic” IP addresses; the WAN IP address may change time to time. If the phone is factory-reset right after the WAN IP is changed, the new security mechanism may lock the phone.

Updated Phone Unlocking process

Historically when Provisioner locked a phone, an account administrator would need to reach out to our support team, assure us the flagged activity is not nefarious and request it be unlocked.  This process can take time to resolve.

The new unlocking feature outlined below is intended to streamline the process and give account managers and users the option to unlock a phone temporarily.  This can be achieved per phone either in Provisioner or as a user in SmartPBX.

In SmartPBX

  1. Go to the Devices menu

  2. Find your phone and select the wrench tool to the right

  3. Select the Advanced Menu

Select Miscellaneous, and click on the “Allow Reprovision” button that says Unlock.You will see a flag pop up stating the device will be unlocked for 24hrs.

<img style='display: flex; margin: 0 auto; width:50%' src="https://forums.2600hz.com/forums/uploads/monthly_2021_03/2045499535_phonelockspbxallowreprovision.png.35285bc8257eb66aa7e12b5169d3d8ad.png" />


<img style='display: flex; margin: 0 auto; width:50%' src="https://forums.2600hz.com/forums/uploads/monthly_2021_03/1349893816_ScreenShot2021-03-01at4_12_13PM.png.f88ce8d6f7b0600898ca5b4eb47b4fd8.png" />

In Provisioner

To unlock a single device

  1. Under devices, scroll to find your phone
  2. Select the Gear setting
  3. Select Unlock

Once you unlock a phone

  • This will enable the device with that specific MAC address to be provisioned to any IP Address for 1 week.
  • If a phone is not re-provisioned in that time, the lock will turn back on.
  • If suspicious activity continues, it will re-lock and you will need to contact support to troubleshoot the source of the activity.

NOTES:

  • If a phone has historically been tied to the same IP address, and is just being re-provisioned (because the phone needed a factory reset for example), Provisioner will not re-lock the phone.
  • If the IP address has changed and you want to reset and re-provision the phone, you will need to “unlock” the device.
  • If you have overwritten the phone’s config. file with a custom configuration (this is very rare) this process will not work.
  • You only need to unlock the phone after factory reset at a new location.
  • The lock does not affect phones with scheduled polling for updated config files. This typically occurs every 24hrs, and/or during a phone reboot.

Frequently Asked Questions

What is the difference between banning an IP and locking a phone?

An IP Ban = exceeding provisioning attempts within a given time frame. Time is around 1 hour and can be self-removed with the UI or removed by anyone in 2600hz using the ban API.  The Unlock your IP button will only unlock the local IP address as shown in the message.  NOTE: For security reasons you cannot unlock a different IP address even if you are masquerading an account.

A Phone Lock = device status in Provisioner after the config file has been retrieved one time in which it will only accept new provisioning attempts from the same IP. Can be reset with the “unlock” button.

Is there a way to unlock all devices I have set up for a new office at once?

If you are setting up or moving an entire office or have shipped devices and want to enter their MAC Addresses in advance, you have 1 week to deliver the phones.  If your shipment takes longer than a week the devices will likely lock before you can add them to the account with the correct data and you will need to unlock each phone separately.

As unwanted attacks have proliferated recently our priority was to enable unlocking for specific device instances.  An unlock all feature is in its final development phase and will be available shortly as a follow-up release.   It is designed to include the following options:

  • Unlock all devices The unlock all button will be the same as click unlock on each device, which in turn leaves the device unlocked indefinitely until someone, from any IP, grabs the non obscured configuration file for the first time.
  • Provisioning Window  The provisioning window unlocks only a defined IP for a set period of time to re-provision any device.

There will be a field to select the number of hours to unlock these devices temporarily as you wait to provision it with your final data.   The minimum is 1hr., the maximum is 40hrs.