Asterisk Vishing Attacks "Endemic"

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

Vishing

[camperdave]

Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP)

http://en.wikipedia.org/wiki/Vishing [wikipedia.org]

Either that or it's an old world ethnic pronunciation of the word "wishing".

Re:Moral of the story

[tsm_sf]

Or, as I preach to older relatives just getting into computers:

You go to your bank, your bank doesn't come to you.

Re:_All_ prerecorded calls are spam.

[Deanalator]

I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.

A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.

Re:_All_ prerecorded calls are spam.

[oldspewey]

The solution to phone spammers is - oh the irony - to use more asterisk. With a little creativity [voiptechchat.com] you can keep telemarketers busy without even picking up the phone.

Re:Vishing?

[Tony Hoyle]

vishing is what Dracula does on his holidays.

Re:Complete crap

[screeble]

Agreed. Couple that fact with the fact that a lot of the repos I've seen are built off of older iterations of the Asterisk code and it's a recipe for disaster. For example, Ubuntu has Asterisk 1.4.21.2 in the repository right now. This is directly exploitable:

http://downloads.asterisk.org/pub/security/AST-2009-003.pdf [asterisk.org]

If you run code out of repos without understanding the risks that's still an admin fail, though. Not the fault of Asterisk, per se.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Complete crap

[diego.viola]

Linux is ok for carrier-grade in my opinion, at least it's very stable and performs well.

I can't say the same with Asterisk really because I had many bad experiences with it, some of these bad experiences includes: deadlocks, crashes, transcoding problems, corrupted sound issues, etc.

I work in the telecom industry as well and I was an Asterisk user who migrated to FreeSWITCH for the reasons that is more stable and performs better, I have also worked for companies such as Teliax Inc, etc. I'm also starting my own company as well for offering VoIP/telecommunication services and I'm going to use Linux and FreeSWITCH, some of these companies (Teliax Inc, Flowroute, etc) have also moved to FreeSWITCH for the same reasons.

I recommend that you look FreeSWITCH if you are in the VoIP industry, you will be amazed of how great it is.

Digium says: Protocol, not program

[Rememberthisname]

So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!

This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.

The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.

Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)

Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.

http://blogs.digium.com/2009/03/28/sip-security/ [digium.com]
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/ [digium.com]

John Todd - jtodd@digium.com
Digium, Inc.
Asterisk Open Source Community Director

Re:Complete crap

[screeble]

Have you looked at http://packages.digium.com/ [digium.com] or maybe about checking out the svn branch for the version you are using?

You didn't say what distro you use but if it's YUM-capable that might be an option.

Personally, I'm against precompiled binaries for Asterisk. Asterisk source doesn't have any configs all other than samples. It's up to the admin to correctly configure the server. I like sticking to SVN as it allows me to make changes and also stay up to date. It's not perfect and I highly advise regression testing the code if you go that route as svn does sometimes break. Just stay out of the bleeding-edge branches.

IMHO the biggest mistake someone can make with Asterisk and security is downloading the source and doing the "make install samples" portion of the install. It seems like often those are the generic confs I've run across when looking at a pre-existing repo version.

Hand-tuned confs don't load needless modules and also eliminate a lot of security holes. Running asterisk -c over and over again until you get things working does actually suck but in the end is worth the effort. I wonder how many installs out there still have the stupid demo cruft in their production dialplans?