25/01: SIP Security Alert
Just recently we’ve learnt of several automated attacks on IP based phone systems.
This is the rough sequence of events when an attack occurs:
This is the rough sequence of events when an attack occurs:
- The robot sends a sip invite to the target IP address on the standard SIP port 5060 UDP (I don’t know how it decides which addresses to attack in the first place).
- If it receives a SIP error response then it knows that it is dealing with a SIP agent. Beginning at 200 it repeatedly sends in SIP register invites using the extension number as the password. The two that I’ve seen tried all extensions between 200 and 9999.
- If there are any extensions with SIP passwords the same as the extension number then the robot will register with the PBX and make a very short call (just a couple of seconds) to test connectivity.
- If the call is successful the robot disconnects.
- It returns and re-registers on Friday evening at about 18:00 local time and then it starts as many calls as your PBX will allow, all to the same premium rate number. The two we’ve seen called numbers in Sierra Leon.
The scam is that the owners of the robot also own the premium rate line so they are effectively siphoning money from you to them.
The two cases that we’ve actually investigated both burnt about £4500 in the course of about 24 hours of constant calling. In both cases the user/owner of the PBX was running one or more extensions with passwords set to the same value as the extension number.
This is a pretty serious problem but it’s very easy to guard against provided you use passwords which are different to the extension number. Releases of SARK starting from V2.1.14 generate strong passwords for your extensions when you create them. You will also be OK if you use some secret password that isn’t the same as the extension number.
If you do have extensions with passwords the same as the extension then we would strongly recommend that you change them as soon as possible in order to survive any attacks you may receive.
Resetting the base station using a key on the base station
All individual settings are reset. Warning, your phone will not function after this process and will need to be setup again.
The system PIN will also be reset to "0000" and all additional handsets de-registered
Steps:
All individual settings are reset. Warning, your phone will not function after this process and will need to be setup again.
The system PIN will also be reset to "0000" and all additional handsets de-registered
Steps:
- Remove the cable connections from the base station, both network and phone.
- Remove the base station mains adapter from the socket
- Press and hold the blue registration/paging button.
- Plug the mains adapter back into the power socket.
- Keep hold the blue registration/paging key (at least 10 sec.).
- Release the registration/paging key. The base station has now been reset.
You then need to start again with your device as if just delivered. You need need to enter all SIP details and register handsets.
