Device Unlock Setting

Overview: About Phone “Locking”

Attacks on VoIP phone networks have steadily increased in recent years.  Hacking efforts such as scanning, brute-force hacking, or attempts to steal SIP credentials or make fraudulent calls can be disruptive at a minimum  and/or — worse — breach your company’s private data. 

To ensure a phone is initially secure when first provisioned and remains secure while it is part of your account, our Provisioner application monitors IP activity to/from the phone and sets protection mechanisms to keep them safe.  If Provisioner encounters one of triggers outlined below,  it will automatically “lock” the phone — meaning it will block the phone from provisioning and it will no longer be connected.

Events that can trigger a phone to lock

Provisioner will automatically lock a phone if it encounters any of the behavior outlined below:

When first provisioning phones

• When you successfully provision a phone for the first time (from a factory reset state) and you move it to a different network where its IP address will change. 
   
• If you have created a device in Flex UC (either in SmartPBX or Callflows) more than 24hrs before you provision it, the phone will be locked out.   This means if you have a phone you want to send to your customer and create it as a device before you ship it, you will need to follow the unlock procedures when they receive it.

Once your phone is provisioned, if

• You move a phone from your office desk to your home environment, or anywhere that the WAN IP address is not the same as your existing location.
   
• Within your account, a phone has been blocked by our security system due to suspicious activity.
   
• Your phone is not a new phone but was registered in your account.
   
• Your internet service uses “dynamic” IP addresses; the WAN IP address may change time to time.  If the phone is factory-reset right after the WAN IP is changed, the new security mechanism may lock the phone.  

Updated Phone Unlocking process

Historically when Provisioner locked a phone, an account administrator would need to reach out to our support team, assure us the flagged activity is not nefarious and request it be unlocked.  This process can take time to resolve. 

The new unlocking feature outlined below is intended to streamline the process and give account managers and users the option to unlock a phone temporarily.  This can be achieved per phone in SmartPBX. 

---

Next you will need to select the phone you wish to enable the feature for by clicking on the wrench icon located to the far right of the device listing:

Now that you have the “Editing SIP Device” screen up, you will need to select Advanced from the right navigation and then Miscellaneous.

Finally to unlock the device for provisioning, click on blue “Unlock” button next to the label “Allow Reprovision”.

You will see a flag pop up stating the “device will be unlocked for 24hrs.”

Once you unlock a phone

• This will  enable the device with that specific MAC address to be provisioned to any IP Address for 24 hours.
• If a phone is not re-provisioned in that time, the lock will turn back on.
• If suspicious activity continues, it will re-lock and you will need to contact support to troubleshoot the source of the activity.

NOTES:

• If a phone has historically been tied to the same IP address, and is just being re-provisioned (because the phone needed a factory reset for example), Provisioner will not re-lock the phone.
• If the IP address has changed and you want to reset and re-provision the phone, you will need to “unlock” the device.   
• If you have overwritten the phone’s config. file with a custom configuration (this is very rare) this process will not work.
• You only need to unlock the phone after factory reset at a new location.
• The lock does not affect phones with scheduled polling for updated config files.  This typically occurs every 24hrs, and/or during a phone reboot.  

Frequently Asked Questions

What is the difference between banning an IP and locking a phone?

An IP Ban = exceeding provisioning attempts within a given time frame. Time is around 1 hour and can be self-removed with the UI or removed by anyone using the ban API.  The Unlock your IP button will only unlock the local IP address as shown in the message. 

NOTE: For security reasons you cannot unlock a different IP address even if you are masquerading an account. 

A Phone Lock = device status in Provisioner after the config file has been retrieved one time in which it will only accept new provisioning attempts from the same IP. Can be reset with the “unlock” button.

Is there a way to unlock all devices I have set up for a new office at once?

If you are setting up or moving an entire office or have shipped devices and want to enter their MAC Addresses in advance, the devices will likely lock before you can add them to the account with the correct data. With this first release you will need to unlock each phone separately.   

As unwanted attacks have proliferated recently our priority was to enable unlocking for specific device instances.  An unlock all feature is in its final development phase and will be available shortly as a follow-up release.   It is designed to include the following options:

(note this is NOT available yet)

• Unlock all devices
  The unlock all button will be the same as click unlock on each device, which in turn leaves the device unlocked indefinitely until someone, from any IP, grabs the non obscured configuration file for the first time.  
   
• Provisioning Window 
  The provisioning window unlocks only a defined IP for a set period of time to re-provision any device.  

There will be a field to select the number of hours to unlock these devices temporarily as you wait to provision it with your final data.   The minimum is 1hr., the maximum is 40hrs.