<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1386293319;
mso-list-template-ids:-1367969974;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If you can add a Firewall/NAT device, You can deploy a SIP ALG/router like Adtran or Edgemarc in the users Home network and set it to only accept SIP traffic from known IPs (your Sip Servers the Polycom registers with)</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> VoiceOps [mailto:<a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>] <b>On Behalf Of </b>Sandro Gauci<br>
<b>Sent:</b> Saturday, September 28, 2013 3:01 AM<br><b>To:</b> <a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br><b>Subject:</b> Re: [VoiceOps] Phone hack</span></p><p class="MsoNormal"> </p><div><p class="MsoNormal">
Hi there,</p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">It is likely that it is someone trying to find a SIP gateway / proxy that is misconfigured and would relay SIP INVITEs without requiring authentication (to commit toll fraud).</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">In this case, I think that the security hole that the attackers likely are trying to exploit does not affect your customer's home workers. </p></div>
<div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">As for solutions or mitigations (assuming you really cannot do anything with the customer's router/firewall/nat device):</p></div><div><p class="MsoNormal">
</p></div><div><div><ul type="disc"><li class="MsoNormal" style>some phones can be restricted to only respond to INVITE messages coming from specific IP addresses (such as the SIP proxy address)</li><li class="MsoNormal" style>
some phones can be restricted to only respond to INVITE messages where the SIP address is the one configured on the phone</li><li class="MsoNormal" style>you could change the SIP port to some high port - it will stop your customer's midnight callers at least for a while</li>
<li class="MsoNormal" style>switching to TCP might have the same effect, with the added benefit of not requiring NAT mapping (I think) </li></ul></div><p class="MsoNormal">Had covered something like this on my blog: </p></div>
<div><p class="MsoNormal"><a href="http://blog.sipvicious.org/2012/12/if-sipvicious-gives-you-ring.html">http://blog.sipvicious.org/2012/12/if-sipvicious-gives-you-ring.html</a></p></div><div><p class="MsoNormal"> </p></div>
<div><p class="MsoNormal">As someone else mentioned, you can detect this sort of issue with your customer equipment by sending an OPTIONS request. This is easily done using SIPVicious svmap.py. </p></div><div><p class="MsoNormal">
</p></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal"><br clear="all"></p><div><p class="MsoNormal">Sandro Gauci<br>Penetration tester and security researcher<br>Email: <a href="mailto:sandro@enablesecurity.com" target="_blank">sandro@enablesecurity.com</a><br>
Web: <a href="http://enablesecurity.com/" target="_blank">http://enablesecurity.com/</a><br>PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C</p></div><p class="MsoNormal" style="margin-bottom:12.0pt"> </p><div><p class="MsoNormal">
On Fri, Sep 27, 2013 at 6:46 PM, PE <<a href="mailto:peeip989@gmail.com" target="_blank">peeip989@gmail.com</a>> wrote:</p><div><p class="MsoNormal">Greetings!</p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">
We have a customer whose users work from home over the local broadband carrier. They have 3 users who have complained of similar circumstances, where they are receiving multiple calls from caller ID such as "100(100)", "101(101)", and "1001(1001)". We show no record of these calls, either from CDR's, logs, or SIP captures, so it seems that there is an outside party sending SIP directly to the (Polycom) handsets.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Anyone seen this? Any idea if there is a particular security hole being attempted? Assuming the users cannot control their broadband router, any suggestions on how to better lock this down?</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Thanks</p></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br><a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a></p></div>
<p class="MsoNormal"> </p></div></div></div></body></html>