[asterisk-users] Asterisk Security: Allow only one phone per sip registration
Terry Wilson
twilson at digium.com
Fri Oct 14 02:32:53 CDT 2011
----- Original Message -----
> From: "Sam Muro" <research at businesstz.com>
> To: asterisk-users at lists.digium.com
> Sent: Friday, October 14, 2011 2:02:01 AM
> Subject: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
> Hi there
>
> Consider this. You have three SIP extension 200, 201 and 202 and you
> have
> configured your phones, say Polycom 331 to those accounts. 200 being
> one
> very sensitive individual.
>
> Lets say, an insider, get a new phone or perhaps an xlite and
> configure it
> with the same extension, 200. Asterisk will register it as 200 to the
> new
> IP address. Now extension 202 call 200. The hacker answers it and
> pretend
> is the same person. Do what he want to do and thats it.
>
> Question;
> How can i stop this type of threat
I would recommend actually setting a different secret field in sip.conf for each device so that your would-be attacker isn't able to register as someone else. Or you could buy a gun. I bet the insider would be very afraid of the gun and would therefore avoid any shenanigans while you were around. This would especially be true if you randomly shot items like coffee cups and plants whenever you thought they were looking at you funny. That'll show 'em.
More information about the asterisk-users
mailing list