VoIP: The Danger of Open Ports

Wednesday, January 25, 2012

Simon Heron


Redscan engineers recently carried out a test. They installed a Sipera UC-Sec 100 appliance behind a firewall on our test network and left the SIP ports, TCP 5060 and 5061, open to the internet.

The aim was to see how long it would take for the system to be attacked.  Over a series of tests it was found that it took from 24 to 48 hours for the Sipera system to come under attack. 

The usual approach was a “Registration” attack where the hacker or ‘bot’ attempts to authenticate itself with the PBX.  These attempts are reported as “Routing Failures” and can be seen below.

Log of Registration Attack (click image to enlarge)

The Sipera UC-Sec 100 device is designed to withstand such attacks but many IP-PBX’s are not.  If these attacks had been launched against an undefended and vulnerable system, it would have been possible for the hacker to register as an authorised user of the system.

Why is this a concern?  Toll Fraud is the primary threat.  A hacker who can register as a legitimate user can make telephone calls at the owner’s expense.  A typical scenario is a hacker in a remote country, say Azabaijan, registers with a PBX in the UK. 

He or She then calls a primary rate number in a third country, Ethiopia, for instance.  The hacker owns this primary rate number and so every call they make to it, makes them money at the expense of the company under attack.  Over a weekend or a few evening, this can really mount up; £50,000 is not unusual.

This attack is very hard for a company to combat, first it is responsible for all calls made from an unsecured PBX, so they must pay their provider.  Second, if they want to prosecute, they have to identify where the hacker came from. 

The source might be in Azabaijan but that could be a proxy for the hacker, they might well live in another country.  As for retrieving the money from the primary rate number provider, the calls were handled in good faith, it is unlikely any money will be returned!  The moral of this tale is “Buyer Beware”.

Cross-posted from Redscan

Possibly Related Articles:
Information Security
Botnets VoIP Attacks Network Security Monitoring hackers IDS/IPS TCP SIP Sipera UC-Sec 100 IP-PBX Open Ports Appliance Registration Attack Simon Heron
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.