[VoiceOps] Phone hack

David Thompson dthompson at esi-estech.com
Fri Sep 27 15:13:23 EDT 2013

I have seen this before yes. Very low risk on Polycoms to my knowledge what
they are attempting to do is see if this is an open or exploitable SIP
proxy to commit toll fraud. Disable SIP ALG on the router and reboot the
Polycoms if possible they are most likely getting port scanned and someone
is seeing a device answering on 5060. If the SIP ALG cannot be disabled
consider replacing the router with something that supports this
functionality. Here is something that’s super useful in checking to see if
something is there and answering to SIP requests.


David Thompson
Network Services Support Technician
(O) 858.357.8794
(F) 858-225-1882
(E) dthompson at esi-estech.com
(W) www.esi-estech.com

*From:* VoiceOps [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *PE
*Sent:* Friday, September 27, 2013 10:46 AM
*To:* voiceops at voiceops.org
*Subject:* [VoiceOps] Phone hack


We have a customer whose users work from home over the local broadband
carrier. They have 3 users who have complained of similar circumstances,
where they are receiving multiple calls from caller ID such as "100(100)",
"101(101)",  and "1001(1001)". We show no record of these calls, either
from CDR's, logs, or SIP captures, so it seems that there is an outside
party sending SIP directly to the (Polycom) handsets.

Anyone seen this? Any idea if there is a particular security hole being
attempted? Assuming the users cannot control their broadband router, any
suggestions on how to better lock this down?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20130927/a401e435/attachment.html>

More information about the VoiceOps mailing list