As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
VoIP Security 101 what you need to know
1. VoIP Security 101 -
What You Need to Know
ERIC KLEIN, VP OPERATIONS
http://www.greenfieldtech.net
2. My name is Eric Klein
2
VoIP Fraud Prevention evangelist
Startup advisor and enthusiast
Author, blogger for Technology
and travel
• Security chapter out this week
• 1st novel in edit
A Little about myself…
Relatively new grandfather
(photos upon request)
3. 3
Passionate about delivering the right
telecom solutions
Greenfield provides creative high-end
solutions and services for telecom
operators, enterprises, and start-ups.
We enjoy making tech dreams a
reality – by developing and delivering
simple, feasible, affordable and
reliable solutions to challenges that
seem ‘impossible’.
We believe that in order to help you
achieve your goals, we must fully
immerse ourselves in your business
and see ourselves as a part of your
organization. We sometimes speak
out when other consultants would not,
with your best interests in mind.
5. 5
– low risk, high return crime
Organized Crime
– use the funds to fund more
terror
Terrorists
- for fun and bragging rights
(think Steve Jobs)
Kids
- As a fully outsourced service
for criminal or terrorist
organizations
Hackers for hire
Who is out there looking for your phone?
Who is Attacking
6. How Much Are They Attacking
Source: www.cfca.org/fraudlosssurvey/
Next report should come out in November 2017
6
7. 7
Key Findings
• 2015 Global Fraud Loss: $38.1 Billion (USD) annually
• 89% of operators surveyed said fraud losses had increased or
stayed the same as previous year
• Top 5 Fraud Methods:
• $3.93 B – PBX Hacking
• $3.53 B – IP PBX Hacking
• $3.53 B – Subscription Fraud (Application)
• $3.14 B – Dealer Fraud
• $2.55 B – Subscription Fraud (Identity)
Source: www.cfca.org/fraudlosssurvey/
This means you or your customers can be hit.
8. Where do they call?
Source: www.cfca.org/fraudlosssurvey/
8
Do you need to allow traffic to these destinations?
9. 9
What They Get From Attacking
Easy cash from:
Free phone calls at your
expense
Reselling phone services
Cash from Premium calls (1-
900) where they get revenue
share
In very rare cases – Bragging
rights (but now that is mostly
history)
10. 1
0
Fast and Furious
They were Fast and He was
Furious:
Story was told by audience
member at Security Panel on the
last day of Astricon 2011 in Denver
A customer called and asked for
default password as they wanted
to configure their PBX and
connect to the internet
He gave them the password and
then connected to the PB himself
to watch what would happen
In under 10 min. the PBX was
found and hacked, with new
extensions created and outbound
calls being made
So how did they find this PBX?
12. Internet Census
50 GB of data Collected and published
Collected by using bots on unsecure internet
devices (default username/password)
If one client scans ten IP addresses per second, it
requires approximately 4000 clients to scan one
port on all 3.6 billion IP addresses of the Internet in
one day
They used ~420K Clients
Botnet distribution shown
Source: http://internetcensus2012.bitbucket.org/paper.html
12
13. Be Careful in What You Advertise
Which is scarier:
Exposing that you
are accessible via
Port 22 or port 80?
13
15. Be Careful in What You Advertise
Why make it easy for them to not only find you, but to know what you are
running?
Do you want to let them exploit known security holes or default passwords?
15
16. • SIPVicious suite is a set of tools that can be used to audit SIP based
VoIP systems. It currently consists of four tools:
• svmap
This is a sip scanner. When launched against ranges of IP address space, it will identify any
SIP servers which it finds on the way. Also has the option to scan hosts on ranges of ports.
• svwar
Traditionally a war dialer used to call up numbers on the phone network to identify ones
that are interesting from ones that are not. With SIP, you can do something similar to
identify active users
• svcrack
This is a password cracker making use of digest authentication. It is able to crack passwords
on both registrar servers and proxy servers. It can make use of ranges of numbers or a
dictionary file full of possible passwords.
• svreport
Able to manage sessions created by the rest of the tools and export to pdf, xml, csv and
plain text.
(Lists SIP devices found on an IP range)
(Identifies active extensions on a PBX)
(An online password cracker for SIP PBX)
16
18. 1
8
Hardening your system
Basic methodologies and best
practices for configuring
Asterisk PBXs. What have we
learned from monitoring and
auditing Asterisk PBXs and how
can you avoid the common
mistakes?
20. 2
0
Common Policy Problems
Incomplete, Non-existent, Unenforced
Password Policies
Server / PBX Passwords
Multiple PBXs using the same password
Root access and web client interface using the
same password (if any)
Phones and Extension Passwords
Default Password on the PBX (or GUI)
Identical or default SIP passwords for all phones
Identical or default Voicemail passwords for all
extensions
No Update Policy
PBX Software
Phone Firmware
No Mailbox Polices
Who/what extensions get voicemail
When to close them
No Allowed / Denied Destines Policies
Do all employees need to call all countries?
Who does / does not?
No Policy To Monitor Phone Usage / Activity
21. 2
1
Internal Fraud the Worst
Do you need a courtesy phone?
Does it really need long
distance dialing?
Does it really need international
dialing?
Does it really need a voice-
mailbox?
What about break room, copy,
or conference rooms?
Do you need these 24 x 7?
22. 2
2
Be aware of the problem
Harden your system
Set proper policies
Does everyone need it
(international calls, call via PBX,
etc.)?
Who needs it?
Why and is there a better solution
or security option?
Lock things down if they are not
needed
Don’t allow pass through dialing
(unless needed, and then limit it)
Use multi-layer solutions
Use audit and monitoring
solutions
23. 2
3
Don’t Use Default Passwords
Why make it easier for them?
Look to use harder to hack
passwords/phrases
Longer is better (they now have a
bot that can crack a 4 digit cell
phone screen lock automatically,
similar things work for electronic
passwords
Consider using Fail2BAN as one
of the layers in your security as it
will lock out repeat attempts to
hack a password
Make sure that only a few people
have access to the system –
humans are one of the weakest
links in security via phishing or
internal attacks
24. 2
4
Check Your Contracts (Liability)
Find out what your contract
includes in terms of text about
fraudulent calls and your liability
Learn how to activate these if
needed
Find out if your carrier offers
Monitoring or limiting amounts me
countries
Which are automatic?
Can you set the limits?
Do they notify you or cut you off?
Blocking premium numbers or
calls to international destinations
Can they be configured by
extension (let President’s Assistant
call anywhere but not lobby
phone)?
Can they be configured by day of
week/time of day?
26. 2
6
Common Server Policy Problems
Incomplete, non-existent,
unenforced Password policies:
Many had identical default SIP
passwords for all phones that were
never changed
Many had identical default
Voicemail passwords for all
extensions that were never
changed
Server / PBX Passwords
Multiple PBXs using the same
password
Root access and web client
interface using the same password
(if any)
No update policy
Server OS
Apache Server software
27. Audit Results:
Server and OS level problems found
18.6
117
8.75
54
8.8
32
0
20
40
60
80
100
120
140
Average Most
High
Medium
Low
Conclusion:
You need to have an update
policy with regular security
updates for the server, not just the
Asterisk software.
27
28. Examples of OS and Server Level
http (80/tcp)
High (CVSS: 7.8)
NVT: Apache httpd Web Server Range Header Denial of Service Vulnerability (OID:
1.3.6.1.4.1.25623.1.0.901203)
general/tcp
High (CVSS: 10.0)
NVT: Kerberos5 Multiple Integer Underflow Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.800433)
general/tcp
High (CVSS: 10.0)
NVT: CentOS Update for kernel CESA-2010:0610 centos5 i386 (OID: 1.3.6.1.4.1.25623.1.0.880569)
general/tcp
High (CVSS: 10.0)
NVT: mpg123 Player Denial of Service Vulnerability (Linux) (OID: 1.3.6.1.4.1.25623.1.0.900538)
To Fix: perform a full system update, type this command:
Eg: su -c 'yum update'
28
30. 3
0
Common Configuration Problems
Not protecting from common
attacks
Context for SIP trunks to
external destinations set as if
they were internal extensions
Old PBXs, extensions, SIP
trunks still configured even
though they are not in use
Voice and Data configured in a
flat configuration (both on the
same subnet)
Misconfiguration of Dial
Commands
31. 3
1
Block Simple Enumeration Attacks
Systems like SIPVicious use
Enumeration Attacks to identify
target SIP devices
In Asterisk, you can enable this
protection by setting the following
in your sip.conf:
alwaysauthreject=yes
This can be configured in
FreePBX
Recent versions via the SIP
Settings option under the Settings
tab (use the Other SIP Settings
options at the bottom of the page).
Older versions will require that you
change it in the sip.conf manually.
32. 3
2
Prevent Basic Hack Attempts
Don’t be on the public Internet
(have SBC, Firewall, NAT in
front of the PBX)
Don’t keep the default
passwords on Server or PBX
Use Fail2BAN to help block
repeated attempts to login to the
server
Change the advertised name of
the PBX (so sites like Shodan
will not display it)
33. 3
3
Incorrect Contexts
Using the from-internal context
means
All calls on that route or trunk are
treated as if they came from an
internal phone – with all the rights
and privileges that includes:
Make outbound calls
Set call forwarding
Combining the 2 makes it possible
to use your PBX as a free long
distance phone company
Be generous use as many
contexts as you have different
dialing authority or use cases:
from =Sip-provider
from=IAX2
from=Sales-employees
from=courtesy-phone
34. 3
4
Be Careful With Dial Commands
In order to enable call transfers, you
have to utilize either the “t” or “T”
parameters of the Dial command
Due to lack of understanding by many
admins – here is a common
configuration mistake:
Doing this opened a way for anyone
who dials in to forward their call to any
PBX function – including call
forwarding, voicemail, etc.
38. Watch the news and follow events
• 2 years ago the European courts killed the Safe Harbor provided the
legal ability for US companies to serve European customers.
• A new law went into effect last July. More than 1,500 companies
including Apple, Google and Microsoft had agreed to abide by the
Privacy Shield agreement, which requires the US Department of
Commerce to ensure that American companies are operating in
compliance with EU privacy laws.
• It is now in very real danger of unravelling. And it's all thanks to
an Executive Order that Trump signed against refugees. Specifically,
it's Section 14, which reads:
• Privacy Act. Agencies shall, to the extent consistent with applicable law,
ensure that their privacy policies exclude persons who are not United
States citizens or lawful permanent residents from the protections of the
Privacy Act regarding personally identifiable information.
38
Full text: https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-
executive-order-enhancing-public-safety-interior-united
40. More about this topic is in
Peerlyst eBook 2 - Essentials of
Cybersecurity
• Chapter 9 is Telecom 101
You can download it for free
here (requires signup):
http://tiny.cc/Cybersecurity
4
0
More details in free
book
41. 41
Thank You
Contact Me at:
Eric@greenfieldtech.net
Skype: EricLKlein
www.greenfieldtech.net
US +1 805 410 1010
UK +44 291 100 8888
Il +972 73 255 7799
Editor's Notes
They had changed admins and providers and wanted to reconfigure the system to connect to the public internet.
He logged in as he suspected that they would not follow his advice to change the password – they did not
Shodan is like Google for devices rather than web pages.
It has sample searches for thinks like:
default password - Finds results with "default password" in the banner; the named defaults might work!
Router w/ Default Info - Routers that give their default username/ password as admin/1234 in their banner.
cisco-ios last-modified - Finds Cisco-IOS results that do not require any authentication ;-)
Snom VOIP phones with no authentication - A list of Snom phone management interface without authentication
IPads - IPads. Think different. Think no security.
D-Link Internet Camera - D-Link Internet Camera DCS-5300 series, without authentication. [g00gle 5c0u7]
Anonymous access granted - title says it all, mostly FTP servers would be visible
Routers that provide admin password - Routers that give the default admin / password in their banner