{"guid":"c2847fc7-51fe-5f98-be2d-29158f298910","title":"Die Hardcoded: Unlocking Yealink's (weakest) secrets","subtitle":null,"slug":"why2025-45-die-hardcoded-unlocking-yealink-s-weakest-secrets","link":"https://program.why2025.org/why2025/talk/CXVW7V/","description":"During this talk we look at hardware and firmware reverse engineering, but also at corporate intimidation tactics and how to respond ethically as a security researcher.\nLeveraging the hard-coded AES keys, outdated software, and lots and lots of custom code we found, we were able to install \"custom code\" on some phones and access global customer configuration data by exploiting Yealink's global cloud provisioning service (RPS).\n\nCommunication is the cornerstone of human collaboration and vital to functional governments, flourishing businesses, and our personal lives. We take for granted that sensitive information we send through our digital communication infrastructure is only received by the intended recipient.\nThis puts immense responsibility on communication equipment manufacturers and service providers to keep our communications safe from prying eyes. Surely we can trust a global, leading manufacturer of video conferencing, voice communication and collaboration solutions to keep our data safe, right? ...right?\nThey may have shiny devices and their marketing slides might be impressive, but we care about what's on the inside.\nIn this talk, we take a look at Yealink VoIP business phones and their cloud infrastructure.\nCome with us on a technical deep dive involving hardware hacking and firmware reverse engineering, but also listen to a story about corporate intimidation tactics and lessons on how not to treat security researchers.\nWhat we find is a security researcher's dream: hard-coded AES keys, outdated software, and lots and lots of custom C code (including cryptography!).\nWe were not only able to run custom code on some phones, but were also able to access configuration data of their global cloud provisioning service while casually answering the age-old question: \"Does it run DOOM?\".\nThis project concluded in a wide-ranging coordinated vulnerability disclosure involving the manufacturer, telecom providers, national cybersecurity agencies, and major customers, which we will also outline in this talk.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/","original_language":"eng","persons":["Jeroen Hermans","Stefan Gloor"],"view_count":347,"promoted":false,"date":"2025-08-11T19:00:00.000+02:00","release_date":"2025-08-12T00:00:00.000+02:00","updated_at":"2026-04-19T23:45:03.916+02:00","tags":["45","2025","why2025","Hacking","Cassiopeia","why2025-eng","Day 5"],"length":1990,"duration":1990,"thumb_url":"https://static.media.ccc.de/media/events/why2025/45-c2847fc7-51fe-5f98-be2d-29158f298910.jpg","poster_url":"https://static.media.ccc.de/media/events/why2025/45-c2847fc7-51fe-5f98-be2d-29158f298910_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/why2025/45-c2847fc7-51fe-5f98-be2d-29158f298910.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/why2025/45-c2847fc7-51fe-5f98-be2d-29158f298910.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/why2025-45-die-hardcoded-unlocking-yealink-s-weakest-secrets","url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_title":"What Hackers Yearn 2025","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025","related":[],"recordings":[{"size":207,"length":1990,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-12T16:35:44.529+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/av1-hd/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/89944","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":30,"length":1990,"mime_type":"audio/mpeg","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-08-12T14:53:30.120+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/mp3/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/89812","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":20,"length":1990,"mime_type":"audio/opus","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-08-12T14:53:13.775+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/opus/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_opus.opus","url":"https://api.media.ccc.de/public/recordings/89808","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":234,"length":1990,"mime_type":"video/webm","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-12T17:04:22.201+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/webm-hd/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/89956","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":77,"length":1990,"mime_type":"video/webm","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-08-12T15:54:56.940+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/webm-sd/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/89920","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":74,"length":1990,"mime_type":"video/mp4","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-08-12T14:55:19.181+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/h264-sd/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_sd.mp4","url":"https://api.media.ccc.de/public/recordings/89835","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":221,"length":1990,"mime_type":"video/mp4","language":"eng","filename":"why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-12T14:35:47.263+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/h264-hd/why2025-45-eng-Die_Hardcoded_Unlocking_Yealinks_weakest_secrets_hd.mp4","url":"https://api.media.ccc.de/public/recordings/89798","event_url":"https://api.media.ccc.de/public/events/c2847fc7-51fe-5f98-be2d-29158f298910","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"}]}