Asterisk SIP Security – Vishing Attacks

Vishing

Near the end of last year (December 2008), the U.S. Federal Bureau of Investigation warned of a variation of a new type of vishing attack.

By exploiting a bug in the open-source Asterisk VoIP software, criminals have been able to use vulnerable Asterisk systems as their own personal auto-dialers and call potential victims directly. The attack can generate "thousands of vishing telephone calls to consumers within one hour,"

the FBI said in an advisory posted to the Internet Crime Complaint Center (IC3).

The FBI is urging Asterisk users to upgrade their software immediately so that their VoIP systems are not vulnerable to this bug.

SIP Security and Asterisk

Since the start of 2009 we had several clients to whom we provide Asterisk Support Service become victims of a "vishing" attack.

After looking at the situation – and plugging the security hole (more about this later) – here is a recent warning from the IC3 (Internet Crime Complaint Center). 

The Digium Patch

The SIP Security hole referred to in the above warning has been pacthed in all recent implementations of Star*PBX (version 1.2.3 and above).  However, as the attacks are real, it is obvious that something else is going on. 

Two Distinct Attack Vectors

Any Asterisk based PBX that has not been updated remains vulnerable to the SIP channel exploit.  This means that  the attacker can now – at will – find out SIP "secrets" etc. and exploit the box.  I have seen several examples of this over the last two weeks.  None of those involved Star*PBX, but another Asterisk based PBX system.

We also had a Star*PBX system come under attack.  This attack had nothing to do with the SIP channel vulnerability – since it was not present.  In this case the vulnerability was an insecure – i.e. easy to crack – SIP secret.  If the SIP extension can easily be guessed, and the SIP "secret" is easy to crack, a brute-force password guessing will likely succeed.  The solution is to simply change the SIP "secret" to a more complex thing.  This, indeed, proved effective.

In the case of the "older" Asterisk systems, unfortunately, this was no help.  Even the complex password was  – somehow – instantly known to the attacker. 

The solution – temporary at best – was to have the dialplan amended to only allow outbound calls to a limited set of area codes.  The long term solution is to upgrade the PBX.  It can still be Asterisk based, and so the investment in infrastructure (wiring, phones, etc.) can be maintained.   Our suggestion for an upgrade would – of course – be Star*PBX.