[VoiceOps] Phone hack

Brian R briansupport at hotmail.com
Fri Sep 27 16:36:32 EDT 2013

We have not specifically seen this however we have played around with several of our SIP devices by setting them as public and poking holes in firewalls for direct IP dialing.
With what we use I think the worst we have seen is customers making them available and having them hacked and FWD to international numbers (another thing to block by default).
My suggestion is always use a firewall (or private vlan/network if your an ISP, etc).
> Date: Fri, 27 Sep 2013 14:00:58 -0500
> From: joquendo at e-fensive.net
> To: peeip989 at gmail.com
> CC: voiceops at voiceops.org
> Subject: Re: [VoiceOps] Phone hack
> On Fri, 27 Sep 2013, PE wrote:
> > Greetings!
> > 
> > We have a customer whose users work from home over the local broadband
> > carrier. They have 3 users who have complained of similar circumstances,
> > where they are receiving multiple calls from caller ID such as "100(100)",
> > "101(101)",  and "1001(1001)". We show no record of these calls, either
> > from CDR's, logs, or SIP captures, so it seems that there is an outside
> > party sending SIP directly to the (Polycom) handsets.
> > 
> > Anyone seen this? Any idea if there is a particular security hole being
> > attempted? Assuming the users cannot control their broadband router, any
> > suggestions on how to better lock this down?
> > 
> > Thanks
> I, and I'm sure others, have seen this before. There are
> ways to fix it, things to look for. However, I (and I'm sure
> others will agree), it helps when we can identify whom we
> are talking to. Its commonly known that attackers also
> browse, and subscribe to many lists in search of who is
> watching them, and who is stopping them, and how. This is
> not to say you're running amok with sipvicious causing
> havoc...
> So to answer your question as broadly asked:
> 1) Yes I have seen these scans hit handsets
> 2) It would never make your CDR since it is sent directly
>    to a SIP device (phone, ATA, etc)
> 3) You're likely capturing on the PBX/SBC side, which it
>    never hits so your packet capture is a moot point
> 4) Don't want to name possibly affected vendors.
> 5) Your SIP devices (Phones, ATAs, etc) should not be
>    exposed to the world. If someone is hitting a device
>    that is behind say NAT/FW/etc. (non-public IP addr) then
>    you may have bigger problems.
> -- 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
> 42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20130927/8babd3bc/attachment-0001.html>

More information about the VoiceOps mailing list