1. VoIP Security 101 -
What You Need to Know
ERIC KLEIN, VP OPERATIONS
http://www.greenfieldtech.net

2. My name is Eric Klein
2
VoIP Fraud Prevention evangelist
Startup advisor and enthusiast
Author, blogger for Technology
and travel
• Security chapter out this week
• 1st novel in edit
A Little about myself…
Relatively new grandfather
(photos upon request)

3. 3
Passionate about delivering the right
telecom solutions
Greenfield provides creative high-end
solutions and services for telecom
operators, enterprises, and start-ups.
We enjoy making tech dreams a
reality – by developing and delivering
simple, feasible, affordable and
reliable solutions to challenges that
seem ‘impossible’.
We believe that in order to help you
achieve your goals, we must fully
immerse ourselves in your business
and see ourselves as a part of your
organization. We sometimes speak
out when other consultants would not,
with your best interests in mind.

4. Who is Attacking
4

5. 5
– low risk, high return crime
Organized Crime
– use the funds to fund more
terror
Terrorists
- for fun and bragging rights
(think Steve Jobs)
Kids
- As a fully outsourced service
for criminal or terrorist
organizations
Hackers for hire
Who is out there looking for your phone?
Who is Attacking

6. How Much Are They Attacking
Source: www.cfca.org/fraudlosssurvey/
Next report should come out in November 2017
6

7. 7
Key Findings
• 2015 Global Fraud Loss: $38.1 Billion (USD) annually
• 89% of operators surveyed said fraud losses had increased or
stayed the same as previous year
• Top 5 Fraud Methods:
• $3.93 B – PBX Hacking
• $3.53 B – IP PBX Hacking
• $3.53 B – Subscription Fraud (Application)
• $3.14 B – Dealer Fraud
• $2.55 B – Subscription Fraud (Identity)
Source: www.cfca.org/fraudlosssurvey/
This means you or your customers can be hit.

8. Where do they call?
Source: www.cfca.org/fraudlosssurvey/
8
Do you need to allow traffic to these destinations?

9. 9
What They Get From Attacking
Easy cash from:
Free phone calls at your
expense
Reselling phone services
Cash from Premium calls (1-
900) where they get revenue
share
In very rare cases – Bragging
rights (but now that is mostly
history)

10. 1
0
Fast and Furious
They were Fast and He was
Furious:
Story was told by audience
member at Security Panel on the
last day of Astricon 2011 in Denver
A customer called and asked for
default password as they wanted
to configure their PBX and
connect to the internet
He gave them the password and
then connected to the PB himself
to watch what would happen
In under 10 min. the PBX was
found and hacked, with new
extensions created and outbound
calls being made
So how did they find this PBX?

11. How they find you?
11

12. Internet Census
 50 GB of data Collected and published
 Collected by using bots on unsecure internet
devices (default username/password)
 If one client scans ten IP addresses per second, it
requires approximately 4000 clients to scan one
port on all 3.6 billion IP addresses of the Internet in
one day
 They used ~420K Clients
Botnet distribution shown
Source: http://internetcensus2012.bitbucket.org/paper.html
12

13. Be Careful in What You Advertise
Which is scarier:
Exposing that you
are accessible via
Port 22 or port 80?
13

14. Shodan
Found:
11,192,438 for SIP devices
By using a simple Google
Like search
14

15. Be Careful in What You Advertise
Why make it easy for them to not only find you, but to know what you are
running?
Do you want to let them exploit known security holes or default passwords?
15

16. • SIPVicious suite is a set of tools that can be used to audit SIP based
VoIP systems. It currently consists of four tools:
• svmap
This is a sip scanner. When launched against ranges of IP address space, it will identify any
SIP servers which it finds on the way. Also has the option to scan hosts on ranges of ports.
• svwar
Traditionally a war dialer used to call up numbers on the phone network to identify ones
that are interesting from ones that are not. With SIP, you can do something similar to
identify active users
• svcrack
This is a password cracker making use of digest authentication. It is able to crack passwords
on both registrar servers and proxy servers. It can make use of ranges of numbers or a
dictionary file full of possible passwords.
• svreport
Able to manage sessions created by the rest of the tools and export to pdf, xml, csv and
plain text.
(Lists SIP devices found on an IP range)
(Identifies active extensions on a PBX)
(An online password cracker for SIP PBX)
16

17. What can you do?
17

18. 1
8
Hardening your system
Basic methodologies and best
practices for configuring
Asterisk PBXs. What have we
learned from monitoring and
auditing Asterisk PBXs and how
can you avoid the common
mistakes?

19. Lets start with the
Corporate level
19

20. 2
0
Common Policy Problems
Incomplete, Non-existent, Unenforced
Password Policies
Server / PBX Passwords
Multiple PBXs using the same password
Root access and web client interface using the
same password (if any)
Phones and Extension Passwords
Default Password on the PBX (or GUI)
Identical or default SIP passwords for all phones
Identical or default Voicemail passwords for all
extensions
No Update Policy
PBX Software
Phone Firmware
No Mailbox Polices
Who/what extensions get voicemail
When to close them
No Allowed / Denied Destines Policies
Do all employees need to call all countries?
Who does / does not?
No Policy To Monitor Phone Usage / Activity

21. 2
1
Internal Fraud the Worst
Do you need a courtesy phone?
Does it really need long
distance dialing?
Does it really need international
dialing?
Does it really need a voice-
mailbox?
What about break room, copy,
or conference rooms?
Do you need these 24 x 7?

22. 2
2
Be aware of the problem
Harden your system
Set proper policies
Does everyone need it
(international calls, call via PBX,
etc.)?
Who needs it?
Why and is there a better solution
or security option?
Lock things down if they are not
needed
Don’t allow pass through dialing
(unless needed, and then limit it)
Use multi-layer solutions
Use audit and monitoring
solutions

23. 2
3
Don’t Use Default Passwords
Why make it easier for them?
Look to use harder to hack
passwords/phrases
Longer is better (they now have a
bot that can crack a 4 digit cell
phone screen lock automatically,
similar things work for electronic
passwords
Consider using Fail2BAN as one
of the layers in your security as it
will lock out repeat attempts to
hack a password
Make sure that only a few people
have access to the system –
humans are one of the weakest
links in security via phishing or
internal attacks

24. 2
4
Check Your Contracts (Liability)
Find out what your contract
includes in terms of text about
fraudulent calls and your liability
Learn how to activate these if
needed
Find out if your carrier offers
Monitoring or limiting amounts me
countries
Which are automatic?
Can you set the limits?
Do they notify you or cut you off?
Blocking premium numbers or
calls to international destinations
Can they be configured by
extension (let President’s Assistant
call anywhere but not lobby
phone)?
Can they be configured by day of
week/time of day?

25. Lets look at the
operating system level
25

26. 2
6
Common Server Policy Problems
Incomplete, non-existent,
unenforced Password policies:
Many had identical default SIP
passwords for all phones that were
never changed
Many had identical default
Voicemail passwords for all
extensions that were never
changed
Server / PBX Passwords
Multiple PBXs using the same
password
Root access and web client
interface using the same password
(if any)
No update policy
Server OS
Apache Server software

27. Audit Results:
Server and OS level problems found
18.6
117
8.75
54
8.8
32
0
20
40
60
80
100
120
140
Average Most
High
Medium
Low
Conclusion:
You need to have an update
policy with regular security
updates for the server, not just the
Asterisk software.
27

28. Examples of OS and Server Level
http (80/tcp)
High (CVSS: 7.8)
NVT: Apache httpd Web Server Range Header Denial of Service Vulnerability (OID:
1.3.6.1.4.1.25623.1.0.901203)
general/tcp
High (CVSS: 10.0)
NVT: Kerberos5 Multiple Integer Underflow Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.800433)
general/tcp
High (CVSS: 10.0)
NVT: CentOS Update for kernel CESA-2010:0610 centos5 i386 (OID: 1.3.6.1.4.1.25623.1.0.880569)
general/tcp
High (CVSS: 10.0)
NVT: mpg123 Player Denial of Service Vulnerability (Linux) (OID: 1.3.6.1.4.1.25623.1.0.900538)
To Fix: perform a full system update, type this command:
Eg: su -c 'yum update'
28

29. Lets Consider The
Asterisk pbx
29

30. 3
0
Common Configuration Problems
Not protecting from common
attacks
Context for SIP trunks to
external destinations set as if
they were internal extensions
Old PBXs, extensions, SIP
trunks still configured even
though they are not in use
Voice and Data configured in a
flat configuration (both on the
same subnet)
Misconfiguration of Dial
Commands

31. 3
1
Block Simple Enumeration Attacks
Systems like SIPVicious use
Enumeration Attacks to identify
target SIP devices
In Asterisk, you can enable this
protection by setting the following
in your sip.conf:
alwaysauthreject=yes
This can be configured in
FreePBX
Recent versions via the SIP
Settings option under the Settings
tab (use the Other SIP Settings
options at the bottom of the page).
Older versions will require that you
change it in the sip.conf manually.

32. 3
2
Prevent Basic Hack Attempts
Don’t be on the public Internet
(have SBC, Firewall, NAT in
front of the PBX)
Don’t keep the default
passwords on Server or PBX
Use Fail2BAN to help block
repeated attempts to login to the
server
Change the advertised name of
the PBX (so sites like Shodan
will not display it)

33. 3
3
Incorrect Contexts
Using the from-internal context
means
All calls on that route or trunk are
treated as if they came from an
internal phone – with all the rights
and privileges that includes:
Make outbound calls
Set call forwarding
Combining the 2 makes it possible
to use your PBX as a free long
distance phone company
Be generous use as many
contexts as you have different
dialing authority or use cases:
from =Sip-provider
from=IAX2
from=Sales-employees
from=courtesy-phone

34. 3
4
Be Careful With Dial Commands
In order to enable call transfers, you
have to utilize either the “t” or “T”
parameters of the Dial command
Due to lack of understanding by many
admins – here is a common
configuration mistake:
Doing this opened a way for anyone
who dials in to forward their call to any
PBX function – including call
forwarding, voicemail, etc.

35. Lets Finish at the
Physical level
35

36. Who has access
• To server room
• To the office in off hours (nights/weekends/holidays)
36

37. Keep up with current events
37

38. Watch the news and follow events
• 2 years ago the European courts killed the Safe Harbor provided the
legal ability for US companies to serve European customers.
• A new law went into effect last July. More than 1,500 companies
including Apple, Google and Microsoft had agreed to abide by the
Privacy Shield agreement, which requires the US Department of
Commerce to ensure that American companies are operating in
compliance with EU privacy laws.
• It is now in very real danger of unravelling. And it's all thanks to
an Executive Order that Trump signed against refugees. Specifically,
it's Section 14, which reads:
• Privacy Act. Agencies shall, to the extent consistent with applicable law,
ensure that their privacy policies exclude persons who are not United
States citizens or lawful permanent residents from the protections of the
Privacy Act regarding personally identifiable information.
38
Full text: https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-
executive-order-enhancing-public-safety-interior-united

39. Shameless plug
3
9

40. More about this topic is in
Peerlyst eBook 2 - Essentials of
Cybersecurity
• Chapter 9 is Telecom 101
You can download it for free
here (requires signup):
http://tiny.cc/Cybersecurity
4
0
More details in free
book

41. 41
Thank You
Contact Me at:
Eric@greenfieldtech.net
Skype: EricLKlein
www.greenfieldtech.net
US +1 805 410 1010
UK +44 291 100 8888
Il +972 73 255 7799