2011/08/01

VoIP can be a dangerous game

Many businesses are starting to deploy or already have deployed IP PBX's (private branch exchanges) which are the guts of VoIP that route calls to local telephones or allow employees to make external calls.

Companies will either run the IP PBX themselves or even deploy remotely in a data centre (generally for a multisite company) or run a hosted system from a VoIP company.

Unfortunately if these systems aren't deployed carefully it can be easy for 'hackers' to connect to them and make out-going phone calls which can rapidly generate huge bills (they tend to target international premium rate numbers that they control, or just are used to route calls for 3rd parties).

Asterisk is a very commonly used open source IP PBX and in the past, the default SIP configuration allowed open access (this has been closed in newer releases). Many IP PBX's will also have open VoIP/SIP access (i.e. unauthenticated remote access - which allows remote users to dial internal extensions, however without having a sensible dial-plan these users can do outward dialling too).

In some cases the VoIP configurations will only allow secure connections, but the web configuration will have default credentials, so a remote attacker can just go in and create a new VoIP user which they then use to outward dial.

A company suffered such an attack over the weekend and was faced with a bill for £12,000+ worth of phone calls.

Though the company was to blame for not securing the web interface, the telephony provider (which could be a normal PSTN provider i.e. someone who provides traditional fixed line services or a VoIP provider) should have provision to check for unusual traffic patterns. So if normally calls are just made to the UK, they should block calls if there's suddenly a large volume to international numbers.

Any company getting a new phone system should check their provider offers such checks or they could be faced with large bills that they'll be liable for.

No comments: