[VoiceOps] Phone hack

[J. Oquendo]

On Fri, 27 Sep 2013, PE wrote:

> Greetings!
> 
> We have a customer whose users work from home over the local broadband
> carrier. They have 3 users who have complained of similar circumstances,
> where they are receiving multiple calls from caller ID such as "100(100)",
> "101(101)",  and "1001(1001)". We show no record of these calls, either
> from CDR's, logs, or SIP captures, so it seems that there is an outside
> party sending SIP directly to the (Polycom) handsets.
> 
> Anyone seen this? Any idea if there is a particular security hole being
> attempted? Assuming the users cannot control their broadband router, any
> suggestions on how to better lock this down?
> 
> Thanks

I, and I'm sure others, have seen this before. There are
ways to fix it, things to look for. However, I (and I'm sure
others will agree), it helps when we can identify whom we
are talking to. Its commonly known that attackers also
browse, and subscribe to many lists in search of who is
watching them, and who is stopping them, and how. This is
not to say you're running amok with sipvicious causing
havoc...

So to answer your question as broadly asked:

1) Yes I have seen these scans hit handsets
2) It would never make your CDR since it is sent directly
   to a SIP device (phone, ATA, etc)
3) You're likely capturing on the PBX/SBC side, which it
   never hits so your packet capture is a moot point
4) Don't want to name possibly affected vendors.
5) Your SIP devices (Phones, ATAs, etc) should not be
   exposed to the world. If someone is hitting a device
   that is behind say NAT/FW/etc. (non-public IP addr) then
   you may have bigger problems.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF