New SPA2100/2102/1001 exploit in the wild?
Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar. It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them. Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me. Thanks, -Ryan
Are you making certain that they aren't publically accessable w/default user name password? Also check your device provisioning server and make certain that indexing isn't enabled. Someone could be browsing through your config files and lifting them from there but I think the configuration files are all binary and not text readable. David Thompson Network Services Support Technician (O) 858.357.8794 (F) 858-225-1882 (E) dthompson at esi-estech.com (W)?www.esi-estech.com -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Ryan Delgrosso Sent: Monday, October 14, 2013 4:09 PM To: voiceops at voiceops.org Subject: [VoiceOps] New SPA2100/2102/1001 exploit in the wild? Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar. It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them. Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me. Thanks, -Ryan _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Seeing something similar with the new 112/122. They are locked down hard yet still getting hacked.
On Oct 14, 2013, at 18:08, Ryan Delgrosso <ryandelgrosso at gmail.com> wrote:
Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar.
It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them.
Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me.
Thanks, -Ryan _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Anthony, What details do you have? Are the calls actually originating from the devices or are the credentials just getting lifted from them somehow? Feel free to reply off-list if you don't want it public but I would like to see if any info could be mutually beneficial. On 10/14/2013 05:23 PM, Anthony Orlando wrote:
Seeing something similar with the new 112/122. They are locked down hard yet still getting hacked.
On Oct 14, 2013, at 18:08, Ryan Delgrosso <ryandelgrosso at gmail.com> wrote:
Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar.
It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them.
Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me.
Thanks, -Ryan _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
So just some additional information on this since i know a few others were seeing security issues with these devices. I have recently discovered that cisco recently terminated the last 40 engineers responsible for maintaining the SPA codebase (SPA ATAs and IP phones and the new SPA112/122). This was done to free up the budget to build a replacement product that will work more closely with their hosted call manager product and less with 3rd party sip which isnt due for several years. They will of course continue to sell the SPA products but you may have issues if you need anything custom done or need factory provisioning. I found the timing of these events slightly curious as well. Take this for what you will and if anyone out there has more information please feel fre to chime in. On 10/14/2013 04:08 PM, Ryan Delgrosso wrote:
Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar.
It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them.
Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me.
Thanks, -Ryan _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On that note. I just met with Cisco at the bsft connections show. And they told me they were "recommitting" to the service provider market with an esbc nano cube and handsets certicification on the bworks in 3 weeks. Shripal
On Oct 18, 2013, at 5:33 PM, Ryan Delgrosso <ryandelgrosso at gmail.com> wrote:
So just some additional information on this since i know a few others were seeing security issues with these devices.
I have recently discovered that cisco recently terminated the last 40 engineers responsible for maintaining the SPA codebase (SPA ATAs and IP phones and the new SPA112/122). This was done to free up the budget to build a replacement product that will work more closely with their hosted call manager product and less with 3rd party sip which isnt due for several years.
They will of course continue to sell the SPA products but you may have issues if you need anything custom done or need factory provisioning.
I found the timing of these events slightly curious as well.
Take this for what you will and if anyone out there has more information please feel fre to chime in.
On 10/14/2013 04:08 PM, Ryan Delgrosso wrote: Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar.
It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them.
Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me.
Thanks, -Ryan _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On 19/10/13 02:10, Shripal Daphtary wrote:
On that note. I just met with Cisco at the bsft connections show. And they told me they were "recommitting" to the service provider market with an esbc nano cube and handsets certicification on the bworks in 3 weeks.
What do you mean by `esbc nano cube` ? It would be a shame if the SPA engineers have been terminated. Very competent product which has been in the market relatively unchanged for many years. Favoured by service providers for its secure provisioning and robust SIP operations. They don't break or do weird stuff too often. Tim
Cisco used the cube as an Enterprise SBC when deploying the call manager. Now they came out with this product called the nano cube for service providers like bsft service providers. It's like competition to the edge water product line I would imagine. Anyway, they say that they will use this device to have local survivability and monitoring resources and also as a proxy. They also stated that they would announce the Cisco 8900s support on the bworks. I have my doubts on that though because all indications otherwise seem to contradict that. Just relaying what they said to me. Shripal
On Oct 19, 2013, at 4:42 AM, Tim Bray <tim at kooky.org> wrote:
On 19/10/13 02:10, Shripal Daphtary wrote: On that note. I just met with Cisco at the bsft connections show. And they told me they were "recommitting" to the service provider market with an esbc nano cube and handsets certicification on the bworks in 3 weeks.
What do you mean by `esbc nano cube` ?
It would be a shame if the SPA engineers have been terminated. Very competent product which has been in the market relatively unchanged for many years. Favoured by service providers for its secure provisioning and robust SIP operations. They don't break or do weird stuff too often.
Tim _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (5)
-
avorlando@yahoo.com -
dthompson@esi-estech.com -
ryandelgrosso@gmail.com -
shripald@gmail.com -
tim@kooky.org