[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

Matt Yaklin myaklin at g4.net
Fri Nov 1 15:22:53 EDT 2013 


On Fri, 1 Nov 2013, Monterrosa Santiago wrote:

> Hi, interesting puzzle!
>
> Just trying to figure out your scenario
>
> Have you checked in the CDRs if the originating IP address matches the private IP of the Yealink?
> If not, the hacker could be guessing wisely the Broadsoft authentication password of the Yealink
> devices to register its own device from Internet, then making calls to 
> Grenada or wherever destination is allowed.
>


I know that scenario is not the case because the POTS line is on
a legacy voice switch which is TDM based. No SIP.

I clearly see the calls coming into my border switch from the
legacy switch. That means the calls came from the POTS line for
sure.

I just put a 8 digit authorization PIN on the POTS for international
dialing to stop the problem for now and buy me some time.

It really does appear that I am either making a config mistake,
the customer has a physical security issue, or the edgemarc has
a problem with its software to allow an attacker to use the FXO
port in some way...

matt at G4.net


> -----Original Message-----
> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin
> Sent: viernes, 01 de noviembre de 2013 10:31 a.m.
> To: voiceops at voiceops.org
> Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed
>
>
> Hi all,
>
> I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
>
> 1-473-405-0085
> 1-473-405-0084
> 1-473-405-0088
>
> Normally I can track down how it happened to figure out who was at fault.
> But this time I am having a hard time.
>
> The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
>
> The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
>
> In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
>
> The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
>
> The Edgemarc is running code Version 11.6.19.
> The Yealink phones are also up2date with the newest code from the vendor's website.
>
> I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
>
> The Edgemarc does have port 5060 open to the world but it is just a ?proxy?
> I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
>
> Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
>
> Thanks,
>
> matt at g4.net
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
> ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
> La informaci?n en este correo electr?nico y sus anexos es confidencial y privilegiada. Est? dirigida exclusivamente a sus destinatarios y por lo tanto nadie m?s est? autorizado a tener acceso a ?lla. Si Ud. no es el destinatario, es il?cito imprimirla, reproducirla o distribuirla. Si lo recibi? por error, por favor avise al remitente y borre cualquier registro en sus sistemas.
>
> CONFIDENTIALITY NOTICE: This email message and its attachments, if any, are intended only for the person or entity to which it is addressed and contains privileged information. Any use, printing, disclosure, or distribution of such information without the written authorization is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message.
>
> Nuestro aviso de privacidad est? publicado en la p?gina web: http://www.mcmtelecom.com.mx/common/politica_privacidad.htm
>
>

More information about the VoiceOps mailing list