What are the best option to do a firmware update on Teleworker phones

[HungryHippo]

Is there another way beside the TFTP to update the firmware on teleworker phones?

[lundah]

TFTP is it, the remote phone will download from the MBG it connects to.

[HungryHippo]

wouldn't that protocol be unsecured? Is there a way for something like sftp or https setup on MBG to have the phones updated?

[acejavelin]

What is your concern with the firmware using an unsecure protocol? The phone downloads the firmware and verifies the checksum before applying it, there isn't any real security concern here...

[HungryHippo]

doesn't hackers usually use the tftp protocol to gain access to servers for this case which is the MBG server and why tftp is usually not considered safe to allow through the firewall.

[lundah]

As far as I know TFTP is the only transfer protocol supported. In order for malicious firmware to be injected, the TFTP server would have to allow PUT (upload) access, which I don't believe the MBG allows, it allows GET (download) transactions only. In addition, you could block UDP 69 at the firewall which would force using the backup port of UDP 20001.

[HungryHippo]

That's good to know, I'll test it out and capture some logs to see if it does goes to that port. Thanks!

[acejavelin]

doesn't hackers usually use the tftp protocol to gain access to servers for this case which is the MBG server and why tftp is usually not considered safe to allow through the firewall.

I mean, you aren't entirely wrong... tftp doesn't talk to the MBG, it passes it through to the MiVB, which is only a file repository and there is no access to anything else. Tftp is just a file transfer protocol, and it is in it's most basic form in the Mitel offering them for download only (there is no upload to the Mitel via tftp)... the Mitel doesn't execute or do anything with files in it's file repository for phones, it's just storage.

There is no security issue here...