We have not specifically seen this however we have played around with several of our SIP devices by setting them as public and poking holes in firewalls for direct IP dialing. With what we use I think the worst we have seen is customers making them available and having them hacked and FWD to international numbers (another thing to block by default). My suggestion is always use a firewall (or private vlan/network if your an ISP, etc). Brian
Date: Fri, 27 Sep 2013 14:00:58 -0500 From: joquendo at e-fensive.net To: peeip989 at gmail.com CC: voiceops at voiceops.org Subject: Re: [VoiceOps] Phone hack
On Fri, 27 Sep 2013, PE wrote:
Greetings!
We have a customer whose users work from home over the local broadband carrier. They have 3 users who have complained of similar circumstances, where they are receiving multiple calls from caller ID such as "100(100)", "101(101)", and "1001(1001)". We show no record of these calls, either from CDR's, logs, or SIP captures, so it seems that there is an outside party sending SIP directly to the (Polycom) handsets.
Anyone seen this? Any idea if there is a particular security hole being attempted? Assuming the users cannot control their broadband router, any suggestions on how to better lock this down?
Thanks
I, and I'm sure others, have seen this before. There are ways to fix it, things to look for. However, I (and I'm sure others will agree), it helps when we can identify whom we are talking to. Its commonly known that attackers also browse, and subscribe to many lists in search of who is watching them, and who is stopping them, and how. This is not to say you're running amok with sipvicious causing havoc...
So to answer your question as broadly asked:
1) Yes I have seen these scans hit handsets 2) It would never make your CDR since it is sent directly to a SIP device (phone, ATA, etc) 3) You're likely capturing on the PBX/SBC side, which it never hits so your packet capture is a moot point 4) Don't want to name possibly affected vendors. 5) Your SIP devices (Phones, ATAs, etc) should not be exposed to the world. If someone is hitting a device that is behind say NAT/FW/etc. (non-public IP addr) then you may have bigger problems.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops