
Your PBX has been hacked - ableal
http://www.cringely.com/2015/05/02/your-pbx-has-been-hacked/
======
MichaelGG
>They are operating from overseas and can’t be traced.

Not to ad-hominem, by this guy doesn't know what he's talking about. (I've
seen his posts before.)

The real problem is that no one cares to push any investigations. I've had
many many cases of customers sending "illegal" calls through my network. It's
not my customers, it's someone down the line. I'm not going to do anything
without a warrant. And when an upstream vendor gets a complaint, you know what
they ask for, every single time? "Please block this traffic."

I've even written back and told them, hey, if this is oh-so-serious, please
have your customer follow up. Have them get a subpoena, court order, etc. They
never do. No one cares.

Even with fake IRS calls, the "investigator" wouldn't bother doing the
paperwork. The FCC doesn't seem to care either (look at their moronic anti
robo dialing contest). The FCC has teeth, they're just very selectively
deployed.

Oh, you can't go back to knowing who is allowed to send what number. Things
are too mixed up, and it'd break many services. Including many uses of 9-1-1.
It's far more difficult than, for instance, preventing spoofed IP source
addresses.

If the FCC _really_ wanted to fix it, they just need to do so. Start fining
and being aggressive. Actually go after things, hunt the money down.

Finally, if you're relying on caller ID as anything other than a weak hint of
authentication, you're doing it wrong, full stop.

~~~
cxseven
"Oh, you can't go back to knowing who is allowed to send what number. Things
are too mixed up, and it'd break many services. Including many uses of 9-1-1.
It's far more difficult than, for instance, preventing spoofed IP source
addresses."

That's interesting. Why is that?

------
evunveot
It would be great if there were a * 69 type system that all the carriers
supported (i.e. was imposed by the FCC) where dialing * 7786 (* SPAM) or
something would flag the previous incoming call as unsolicited spam/scam and
allow you to leave a voicemail with the FCC describing what happened.
Hopefully the metadata would be fresh enough in the moment that they could
meaningfully record the actual route of the call as opposed to the spoofed or
blocked caller ID and begin to identify the bad actors (if not the ultimate
source then at least the last identifiable middleman).

~~~
MichaelGG
CDRs are kept for quite a while, so it's possible/easy to track these calls
down. There are a bunch of intermediaries (I ran one), and each time you need
to get them to release customer information. The FCC doesn't care enough; no
one investigates.

~~~
drzaiusapelord
Okay we do the legwork and track him down. He's an Indian national using a
stolen or prepaid credit card in Mumbai and using voip.ms or flowroute or
whoever just needs a CC to get started. He has long left this service and gone
to another by the time you "catch" him. He's made millions of calls since.

~~~
MichaelGG
Well most places don't just allow a credit card to start sending high volume,
due to the fraud risk. But agreed, there may not be too much ID, and
prosecuting internationally is hard. So there's a few options:

1\. Don't allow such users to use other caller IDs until they verify
themselves (business, USF ID, etc.) or until they verify ownership of the
number, or some other limitation. This is fairly reasonable and can be totally
automated (some providers do so). Some Indian shop doesn't need to spoof all
US numbers, so why allow them?

2\. Require deposits against such behavior, and in case of uncontested
complaint, keep the money.

3\. Share information on offenders (FCC run, mandatory). This is like having a
list of known bad agents. Yes, they can get new IDs, but that costs a bit (see
point 1, no need to allow someone in India on a free email account, without a
company, impersonate all US numbers).

4\. Of the FCC _really_ wanted to nuke the problem, they could make providers
liable. End of story. Within a month, providers would get together and figure
it out.

And this wouldn't need to hurt legitimate usage that much. Established
operators are easy enough to figure out (or you can grandfather until there
are complaints). End users trying to get going should have no problem, either.

------
doctorshady
Seems like you should be able to program the auto-attendant to only allow a
certain number of transfers, or make it require some unusual transfer
operation, like *8 [extension] # on Audix VMSes. A lot of Nortel ones even
have the option to detect sequential dialing, and pretend anything the user
dials isn't in service.

That being said though, if you have access to ISUP fields on an incoming
trunk, you can check and see if the JIP parameter matches an office
corresponding to one of the two ANI fields, and route it to an operator if it
doesn't. There'll always be a way to set your number to whatever you want, but
if your number shows you're calling from a Centurylink phone in Seattle while
the JIP corresponds to some random CLEC's switch in California, something is
definitely up.

------
kimi
With a cluster of Asterisk boxes and the right tools, it is easy to originate
millions of calls. I was talking to a person today who is to place ~60 million
calls in 20 days, and you can do that with a couple of Wombats and a small
cluster of AWS boxes - plus a few willing termination providers.

------
wtallis
I've been wondering increasingly often over the past few years why we tolerate
a phone network that allows for caller ID spoofing. I don't see how a system
analogous to BCP38 would have any significant downsides, and there's a huge
demand for anything that stems the rising tide of fraudulent robocalls.

~~~
ryanlol
It really isn't a big deal though, CID/ANI should never be trusted to identify
the caller anyway.

~~~
wtallis
That's only because we _let_ that system be gamed. _It doesn 't have to be
that way_. Telcos always know who they're billing for a call; they have the
capability to make caller ID reliable.

~~~
FormerTelco3986
That's not true. Phone companies have to pay fees when they have to pass a
phone call through their telco to another. They have entire routing table fees
involved and the telcos will pass traffic through the cheapest routes. That's
why a call route can go through one set of routing in the morning but by the
evening it can go a completely different way, it's cheaper the second time
around. The fees are constantly changing. From a receiving telco side, they
receive an incoming call that's identified themselves as Telco1, which matches
the routing tables. The problem is the telcos rely on an honor system when
they self identify.(I don't know when this started, it was in place when I
worked in telco and everyone I knew at retirement age said it had always been
that way for them.) And then we have telcos that go even further and
completely avoid identification altogether. Which is sleazy but happens very
often. The incoming telcos then are faced with either denying the incoming
calls altogether (but then it's the callers that suffer -but it would force
the telco trying to pass traffic for free, to either identify themselves or
find another route) or risking passing that traffic and not being paid for it.
If it's low enough traffic, it's probably easier just to let the calls through
without knowing who to charge, so that telco got their calls passed for free.
It was a constant game for us to deny traffic and keeping up with the routing
tables.

tldr: The technology isn't the only thing that's over 100 years old, the
business practices are also extremely broken too. And telcos are not an honest
bunch.

~~~
dubwubz
A good handful of the larger telcos don't bother with least cost routing
tables, and will instead just send all their domestic traffic straight through
their own networks. The route quality tends to be much higher when they do
that.

------
vbcr
_...and to press #4 to talk to their security department_

Does something bad happen by pressing a number on dial pad or they just
transfer to a human to talk to. Just curious because I heard from someone that
pressing a button was good enough for the spammer who is calling you, but it
does not makes sense how that can harm.

~~~
centizen
It will verify the number/extension called as being a valid target for further
attacks. In most situations nothing worse than that would happen.

I have however seen a slightly different breed of attack, where an attacker
calls a victim (usually a switchboard attendant) and asks to be transferred to
extension 9190. If this happens, they dial the rest of a 1-900 number and rack
up charges.

------
chrisBob
When I get these calls I always debate trying to get their info so I can
report it but it is just sooooo much easier to hang up.

For the bank I always hang up and call back. My money is worth the extra step.

~~~
astrodust
The worry here is you hang up, call back, and the bank's telephone system is
compromised and you get routed through to the malicious actor.

------
drzaiusapelord
Voip security seems to be non-existant in practice. I recently spent some time
in popular Voip forums because of a planned roll-out here and heard a lot of
concerning things. It seems no one has any idea how firewalls work (Voip needs
both TCP and UDP) and they just leave listening ports open to the world,
instead of locking them down to their SIP trunk provider. Asterisk, and
others, by default handle anonymous calls so anyone able top contact the voip
port on your server can ring phones. Voicemail and automated attendant hacks
are everywhere. The laziness of the community to handle these is frightening,
not to mention none of this stuff was built with a security-first mindset, so
every fix is just plugging another hole. There will always be more holes in
Asterisk based systems.

Every PBX is just a copy of the old school analog PBX systems, so everything
is ugly and a configuration nightmare. I'm not even sure if its even possible
to secure these things. PBX's have all the liabilities of the POTS system and
a TCP/IP system. Obscure dial presses and IVR hackers are everywhere. No one
really understands this stuff and making sure an attacker can't break out of
the IVR is actually fairly difficult as these things are designed to do their
best to route calls and there are so many ways to do that.

The most popular PBX is FreePBX which runs on a dated CentOS distro where
using yum to update breaks things, so everyone waits for a shell script
released by Schmooze to do package updates. Of course, they will not be as
fast as the distro mirrors so you have to wait for your managed updated while
the hackers are loose with exploits for your platform. Then hope to Alexander
Grahame Bell that the script doesn't break the Jenga-like system that is
Asterisk-based PBX's. Spoiler: they usually do.

Encryption is borderline non-existant as anything that can interfere with the
precious jitter and latency limitations of voip is disregarded, so everything
is plain-text and open to trivial sniffing. No IPS/IDS out of the box. No
botnet filtering out of the box. No captchas on logins for users. No SELinux.
No modsecurity. No OSSEC. No nothing really, these distos are not made by
people who grok security. They seem to be made by ex-big iron phone cowboys
who came from managed Cisco and Avaya environs and think linux is a magical
unhackable black box. Spoiler: it isnt.

I was going to write a security guide for the FreePBX distro but gave up when
any little change broke something. Other than seriously firewalling these
things off behind something that can run IPS/IDS and having Voip on its own
vlan with nothing else, there's not much you can do. They're really delicate
and easy to hack.

Lastly, in regards to the article, there is zero proof that all these scammers
are all using stolen voip servers. They probably are in some cases, but its
trivial to sign up with an international provider and make calls from Mumbai
to the USA for pennies per minute. The tolls are trivial compared to what you
can get just out of one person scammed. Most hacked boxes seem to be lone
hackers getting free long distance or small operators reselling that long
distance to shady-market buyers using bitcoin.

------
caruizdiaz
Phone numbers are going to (eventually) disappear. They are inefficient, hard
to remember and not human-friendly (they are great for computer-based routing
:P ).

Easier thing we can do, is to map them down like we do it with IPs and domain
names, but as usual, this is far from being a practical solution.

Best think is to let conventional telephony die and VoIP take over its place.

~~~
jallmann
> map them down like we do it with IPs and domain names

We have been able to map phone numbers to SIP URIs for a long time with E.164
ENUM. Numbers are a hassle, but there's nothing preventing numbers from living
alongside proper URIs today.

> let conventional telephony die and VoIP take over its place.

Many places are still circuit-switched at the last mile, whether over landline
or cellular. We can't turn off the PSTN in favor of VoIP until everybody has
switched over -- similar to the IPv6 changeover dilemma, although more
tractable due to the ubiquity of Internet access and proper interworking -- no
tunneling required.

What I'm waiting for though, is the ability to "bring your own" SIP URI so the
carriers can handle our calls in the same way GMail can handle our email for
personal/business domains. (Not to mention the capability to dial out to SIP
addresses...)

Ideally, this would extend all the way down to "bring your own SIP proxy and
registrar" where the carriers would just act as dumb pipes to carry your calls
at the same QoS as theirs, but that's a far ways off.

~~~
caruizdiaz
> We have been able to map phone numbers to SIP URIs for a long time with
> E.164 ENUM

yes, because dialing 3.0.3.3.8.4.0.3.5.5.1.2.5.e164.arpa is super easy to do.

I was talking about a proper solution, not patching an existing one.

> We can't turn off the PSTN in favor of VoIP until everybody has switched
> over

Exactly, but we have to start at some point. We have been doing phone calls
for more than 100 years, and it remained practically unchanged since then.

~~~
jallmann
> yes, because dialing 3.0.3.3.8.4.0.3.5.5.1.2.5.e164.arpa is super easy to
> do.

Nonsense, the user would never dial that. The number gets mechanically
translated as necessary, which is extremely straightforward...

> We have been doing phone calls for more than 100 years, and it remained
> practically unchanged since then.

Really? Most of your comments in this thread are uninformed, bordering on the
absurd. If you are doing a telecom startup (as your profile implies), I would
encourage a better understanding of the industry: you can't compete with what
you don't know.

------
fpgaminer
This article is making all sorts of illogical conclusions from the stories
it's telling. First, how was the company hacked "through their corporate phone
system"? They were hacked through social engineering and malware. The phone
network was just used for reconnaissance. I'm sure hackers have been mining
phone networks for decades. Not that this story isn't interesting, but the
conclusion doesn't lead from the tale.

Second, how does he know the bank's phone system was compromised, just because
he couldn't reach it? I'm no expert on phone systems, but it seems like any
number of other possibilities are at play here. Like, the bank's phone system
actually being down and the call minion he talked to not being in a position
to know anything about it (common). Or maybe the call center was up, but it
was inaccessible for a brief period of time. I can't imagine phone systems are
very reliable. Again, an unsubstantiated conclusion.

Third, he also concludes the bank's records were compromised, leaking his
phone number. I get fake calls from "banks" a few times per year, even ones
with the right names. I see no reason to assume the bank's records have been
compromised, just because you coincidentally got a fake call with your bank's
name. Either it was coincidence that the name matched his current bank, or the
information leaked through the usual means (bank selling your information to
third-parties, who turn out to be unscrupulous or have their information
stolen; or any retailer you've used your banks credit/debit card at selling
your information).

Fourth, how does any of this lead to the conclusion that "[w]e’ve lost control
of our phone network"? These were all typical phracker activities that have
been occurring for decades.

And finally, the mention of the Do Not Call list is also a non sequitur. It's
only loosely related to what the author previously mentioned.

I'm all for being security aware, but I'm not seeing the story here. In my
honest opinion, this looks like a big pile of FUD with no useful substance and
it surprises me that it's on the HN front page right now.

~~~
dubwubz
That depends on the phone system. Asterisk isn't particularly reliable; it
actually crashes at 100 concurrent calls.

If you're talking about a good CO switch like a 5ESS or DMS-100, they're
extremely reliable, well engineered machines. They consistently meet and
exceed five nines reliability.

~~~
MichaelGG
Not that I have any love for Asterisk, but modern versions can handle that
load. As can FreeSWITCH despite its... interesting... threading model, as can
OpenSIPS. On top of that, who cares what a single process can run? It's better
to run one per core anyways. I had several servers, each running several FS
instances and scaling wasn't really an issue.

I even ran a 5 nines 9-1-1 service off Asterisk, as embarrassing as that is.
We missed one call in 18 months during a hard maintenance cutover, but handled
it manually, but of course it was only one part and relied on the rest of the
PSTN.

With a SIP proxy in an HA setup, almost surely the biggest downtime is going
to be operator error or IP connectivity issues. Or someone changing their
signalling subtly, but OTOH 5ESS and DMS aren't totally identical in behavior
either.

(Though fair enough, the "software" guys haven't shown the same uptimes,
overall, as the old style switching, true.)

