We recently had a phone call from an occasional client of ours asking for our urgent help in sorting out a major problem with his phone system.

To cut a longer story short he had been taken for £30,000 by phone hackers and wanted our help to stop the fraud as his phone engineer and trunking provider had failed to do so. To add a new twist to the ‘normal’ phone fraud that we have seen before these hackers also made bogus 999 calls from his system which led to the involvement of the Police. Not good.

Unusually this was a Panasonic Hybrid IP PBX rather than an open source system so not something we had come across before in terms of VoIP security. However basic principles still apply and after analysing what the system was actually being used for we found that there was no need for (inbound) SIP to be open at all. Both the SIP trunk provider and the telephone engineer didn’t believe the system would function without SIP being open on the firewall which showed a worrying lack of understanding of IP protocols and networking in general…

However, in spite of their scepticism, after closing port 5060 everything continued to work except for the hacking as that stopped immediately.

Lessons learned

Have no doubt that if you connect a SIP based phone system to the internet it will become a target for attack within hours if not sooner. There are gangs of fraudsters out there actively scanning for open SIP ports and then using automated systems to exploit unsecured or poorly secured PBXs. They will find the flaws in your system and then mercilessly sell your minutes to willing users until your credit line is exhausted. If you have an unlimited credit facility then more fool you because your trunk provider is unlikely be letting you off the bill because of your ignorance.

These are the lessons we have taken away from this incident.

  • Traditional telephone companies and engineers appear, in many instances, to be woefully ignorant of SIP and VoIP security. Traditional PBX manufacturers are bolting on SIP functionality but they are being sold by people used to dealing with 2 wire telephony cable and not professionally trained in Internet technologies let alone system security hardening.
  • Assume any telephone system connected to the internet is vulnerable and will be hacked. Think about how much credit you need on any account, can you setup alerting for low credit, think about blocking calls to high risk destinations such as Africa, Pakistan, etc. If possible block calls out of working hours.
  • Never, never, never use default passwords on SIP extensions or easy to crack passwords. Use a random password generator and use the maximum possible length password on extension. If you do nothing else do this!
  • Unless you are trying to run a commercial VoIP business you probably don’t need SIP port 5060 open inbound on your firewall at all. Remote phones should be connected via VPNs or if you can’t do that tie down inbound connections from fixed IP addresses only.
  • Ideally VoIP traffic over the internet should be encrypted and if you are using softphones over WiFi be aware that you are passing authentication and registration information in plain text. Used over a compromised wireless network (think internet cafes, hotels, public hotspots & MITM) you are giving the hackers access to your VoIP.

If you want to see an excellent example of a tool that can be used for scanning networks for vulnerable  VoIP systems have a look at SIPVicious

* This post is proving very popular. Judging from some of the traffic sources some of you are looking for actual hacking techniques. Sorry to disappoint. For the others who are looking for security tips I hope it helps and that a trip to SIPVicious gives you some tools to test your security.



by hostadmin on Jul 10, 2013 at 11:47 PM


Comments are closed.