Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Phone hack (PE)
2. Re: Phone hack (David Thompson)
3. Re: Phone hack (Anthony Orlando)
4. Re: Phone hack (J. Oquendo)
5. Re: Phone hack (Brian R)
----------------------------------------------------------------------
Message: 1
Date: Fri, 27 Sep 2013 13:46:02 -0400
From: PE <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [VoiceOps] Phone hack
Message-ID:
<CAHm=SaJyWY0_pmojy91AbKW9qk2uyqm38wJnmBVXRFqAN7O=j...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Greetings!
We have a customer whose users work from home over the local broadband
carrier. They have 3 users who have complained of similar circumstances,
where they are receiving multiple calls from caller ID such as "100(100)",
"101(101)", and "1001(1001)". We show no record of these calls, either
from CDR's, logs, or SIP captures, so it seems that there is an outside
party sending SIP directly to the (Polycom) handsets.
Anyone seen this? Any idea if there is a particular security hole being
attempted? Assuming the users cannot control their broadband router, any
suggestions on how to better lock this down?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130927/0958c87c/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 27 Sep 2013 12:13:23 -0700
From: David Thompson <[email protected]>
To: PE <[email protected]>, [email protected]
Subject: Re: [VoiceOps] Phone hack
Message-ID: <[email protected]>
Content-Type: text/plain; charset="windows-1252"
I have seen this before yes. Very low risk on Polycoms to my knowledge what
they are attempting to do is see if this is an open or exploitable SIP
proxy to commit toll fraud. Disable SIP ALG on the router and reboot the
Polycoms if possible they are most likely getting port scanned and someone
is seeing a device answering on 5060. If the SIP ALG cannot be disabled
consider replacing the router with something that supports this
functionality. Here is something that?s super useful in checking to see if
something is there and answering to SIP requests.
http://blog.sipvicious.org/
David Thompson
Network Services Support Technician
(O) 858.357.8794
(F) 858-225-1882
(E) [email protected]
(W) www.esi-estech.com
*From:* VoiceOps [mailto:[email protected]] *On Behalf Of *PE
*Sent:* Friday, September 27, 2013 10:46 AM
*To:* [email protected]
*Subject:* [VoiceOps] Phone hack
Greetings!
We have a customer whose users work from home over the local broadband
carrier. They have 3 users who have complained of similar circumstances,
where they are receiving multiple calls from caller ID such as "100(100)",
"101(101)", and "1001(1001)". We show no record of these calls, either
from CDR's, logs, or SIP captures, so it seems that there is an outside
party sending SIP directly to the (Polycom) handsets.
Anyone seen this? Any idea if there is a particular security hole being
attempted? Assuming the users cannot control their broadband router, any
suggestions on how to better lock this down?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130927/a401e435/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 27 Sep 2013 12:25:51 -0700 (PDT)
From: Anthony Orlando <[email protected]>
To: David Thompson <[email protected]>, PE
<[email protected]>, "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Phone hack
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"
Also make sure the phones dont have the default 456 password.? In some versions
the sip credentials are not hashed out and in other versions even if it is
hashed if you inspect the element you can see the pw.
________________________________
From: David Thompson <[email protected]>
To: PE <[email protected]>; [email protected]
Sent: Friday, September 27, 2013 2:13 PM
Subject: Re: [VoiceOps] Phone hack
I have seen this before yes. Very low risk on Polycoms to my knowledge what
they are attempting to do is see if this is an open or exploitable SIP proxy to
commit toll fraud. Disable SIP ALG on the router and reboot the Polycoms if
possible they are most likely getting port scanned and someone is seeing a
device answering on 5060. If the SIP ALG cannot be disabled consider replacing
the router with something that supports this functionality. Here is something
that?s super useful in checking to see if something is there and answering to
SIP requests.
?
http://blog.sipvicious.org/
?
David Thompson
Network Services Support Technician
(O) 858.357.8794
(F) 858-225-1882
(E) [email protected]
(W)?www.esi-estech.com
?
From:VoiceOps [mailto:[email protected]] On Behalf Of PE
Sent: Friday, September 27, 2013 10:46 AM
To: [email protected]
Subject: [VoiceOps] Phone hack
?
Greetings!
?
We have a customer whose users work from home over the local broadband carrier.
They have 3 users who have complained of similar circumstances, where they are
receiving multiple calls from caller ID such as "100(100)", "101(101)", ?and
"1001(1001)". We show no record of these calls, either from CDR's, logs, or SIP
captures, so it seems that there is an outside party sending SIP directly to
the (Polycom) handsets.
?
Anyone seen this? Any idea if there is a particular security hole being
attempted? Assuming the users cannot control their broadband router, any
suggestions on how to better lock this down?
?
Thanks
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130927/40cf6468/attachment-0001.html>
------------------------------
Message: 4
Date: Fri, 27 Sep 2013 14:00:58 -0500
From: "J. Oquendo" <[email protected]>
To: PE <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Phone hack
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Fri, 27 Sep 2013, PE wrote:
> Greetings!
>
> We have a customer whose users work from home over the local broadband
> carrier. They have 3 users who have complained of similar circumstances,
> where they are receiving multiple calls from caller ID such as "100(100)",
> "101(101)", and "1001(1001)". We show no record of these calls, either
> from CDR's, logs, or SIP captures, so it seems that there is an outside
> party sending SIP directly to the (Polycom) handsets.
>
> Anyone seen this? Any idea if there is a particular security hole being
> attempted? Assuming the users cannot control their broadband router, any
> suggestions on how to better lock this down?
>
> Thanks
I, and I'm sure others, have seen this before. There are
ways to fix it, things to look for. However, I (and I'm sure
others will agree), it helps when we can identify whom we
are talking to. Its commonly known that attackers also
browse, and subscribe to many lists in search of who is
watching them, and who is stopping them, and how. This is
not to say you're running amok with sipvicious causing
havoc...
So to answer your question as broadly asked:
1) Yes I have seen these scans hit handsets
2) It would never make your CDR since it is sent directly
to a SIP device (phone, ATA, etc)
3) You're likely capturing on the PBX/SBC side, which it
never hits so your packet capture is a moot point
4) Don't want to name possibly affected vendors.
5) Your SIP devices (Phones, ATAs, etc) should not be
exposed to the world. If someone is hitting a device
that is behind say NAT/FW/etc. (non-public IP addr) then
you may have bigger problems.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
Message: 5
Date: Fri, 27 Sep 2013 13:36:32 -0700
From: Brian R <[email protected]>
To: voiceops <[email protected]>
Subject: Re: [VoiceOps] Phone hack
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-1"
We have not specifically seen this however we have played around with several
of our SIP devices by setting them as public and poking holes in firewalls for
direct IP dialing.
With what we use I think the worst we have seen is customers making them
available and having them hacked and FWD to international numbers (another
thing to block by default).
My suggestion is always use a firewall (or private vlan/network if your an ISP,
etc).
Brian
> Date: Fri, 27 Sep 2013 14:00:58 -0500
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [VoiceOps] Phone hack
>
> On Fri, 27 Sep 2013, PE wrote:
>
> > Greetings!
> >
> > We have a customer whose users work from home over the local broadband
> > carrier. They have 3 users who have complained of similar circumstances,
> > where they are receiving multiple calls from caller ID such as "100(100)",
> > "101(101)", and "1001(1001)". We show no record of these calls, either
> > from CDR's, logs, or SIP captures, so it seems that there is an outside
> > party sending SIP directly to the (Polycom) handsets.
> >
> > Anyone seen this? Any idea if there is a particular security hole being
> > attempted? Assuming the users cannot control their broadband router, any
> > suggestions on how to better lock this down?
> >
> > Thanks
>
> I, and I'm sure others, have seen this before. There are
> ways to fix it, things to look for. However, I (and I'm sure
> others will agree), it helps when we can identify whom we
> are talking to. Its commonly known that attackers also
> browse, and subscribe to many lists in search of who is
> watching them, and who is stopping them, and how. This is
> not to say you're running amok with sipvicious causing
> havoc...
>
> So to answer your question as broadly asked:
>
> 1) Yes I have seen these scans hit handsets
> 2) It would never make your CDR since it is sent directly
> to a SIP device (phone, ATA, etc)
> 3) You're likely capturing on the PBX/SBC side, which it
> never hits so your packet capture is a moot point
> 4) Don't want to name possibly affected vendors.
> 5) Your SIP devices (Phones, ATAs, etc) should not be
> exposed to the world. If someone is hitting a device
> that is behind say NAT/FW/etc. (non-public IP addr) then
> you may have bigger problems.
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
> _______________________________________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130927/8babd3bc/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
End of VoiceOps Digest, Vol 51, Issue 8
***************************************
