Hacking VoIP to make money

23 Nov 2011

When you think of telephones you don't really think or worry about security. But even in this internet age so many business still rely on their telephone system. To meet businesses needs of lower costs, better quality calls the technology is changing rapidly.

You have probably heard of VoIP (Voice over internet protocol) which is just a way of digitally connecting calls over a network either LAN or WAN. Today its surprising how many organisations use this technology.

At my work I installed a VoIP system to replace the standard analogue lines because of the cost of putting BT POTS lines in and we can have as many numbers as we like and be able to handle 100's of calls over one a single internet connection.

But just like any server that is internet facing, it is vulnerable to a whole host of attacks. When the media use the term "Hacker" it usually refers to the stereotype of a kid in his bedroom destroying things because he thinks its fun. Which yes there are many of those which we call "Script Kiddies", because there is no skill involved and they are just using software others have created. The real cyber criminals "hack"; to make money, not for fun. VoIP systems can be a profitable target compared to a random web server and my PBX system over the last two months has been a target of some of these attacks. I will also explain how I stopped them before they caused and damage or cost.

SIP Denial Of Service

One evening just before office closing times, the reception phone went mad with phone calls all eight lines on the phone were ringing. It was a SIP denial of service attack, within a few seconds the other phones in the same call group also started to ring like mad. It only lasted a few minutes while I was brining up the Asterisk console on a laptop to block the offending IP using IPTables.

The attack is very simple send as many calls as possible to block any real calls coming in. Asterisk by default has no way of blocking calls automatically if they are abusing the system, so this attack would be hard to stop if you were not an admin.

We stopped it quickly but any real calls coming in had no chance of being answered. A simple way to stop this from happening is to block anonymous SIP calls which we don't receive as we use a SIP trunk. In theory if you found this flaw in a companies system you could black mail them into paying a fee to stop an attack on their system, I don't know if that has ever been attempted but it would be possible and hard to track.

Extension Brute Force

Just like on any server which has a public facing authentication system like a web server or a router, the username and password can be brute forced untill a guess is correct and they gain access into the system. Many systems have minimum password length and maximum incorrect password attempts. But PBX don't by default have these and leave it up to the user to keep the system secure and to enforce policies to their users.

Every day when I look at the logs of my Asterisk server I see these brute force attacks on different extensions trying to guess the password. None of the extensions on my system have ever been compromised but the consequence of them being compromised would be very expensive. Just like the act of setting up a premium rate number and tricking individuals and business to call it to make quick money, if a phone extension is compromised it can silently make calls to premium rate numbers with out anyone every knowing. In a large business with big phone costs the calls would go unacknowledged for weeks, months and even years!

Be sure to have strong extension passwords (12+ characters), monitor call activity and use tools such as IPTables to block attempted registrations as explained here Link.

I'm sure there are other ways also to hack VoIP systems to make money, but the above are actually happening to many PBX systems and will only get worse as more business use these systems.

I would be interested to hear if you know any other ways of making money from hacking VoIP or PBX systems, just leave a comment below.