[asterisk-users] Interesting new hack attack

James Sharp james at fivecats.org
Thu May 22 16:22:36 CDT 2014

On 5/22/2014 12:41 PM, Steve Murphy wrote:

> So, these defenses can be employed to stop/ameliorate such
> hacking efforts:
> 1. Keep your phones behind a firewall. Travellers, beware!
>     Never leave the default login info of the phone at default!
> 2. Never use the default provisioning URL for the phone,
>     with it's default URL or password.
> 3. Use fail2ban, ossec, whatever to stymie any brute force
>     mac address searches.
> 4. Use your firewalls to restrict IP's that can access web,
>     ftp, etc, for provisioning to just those IP's needed to allow
>     your phones to provision.
> 5. Keep your logs for a couple years.
> 6. Change your phone SIP acct passwords now, if you haven't
>     implemented the above precautions yet.
> If I missed a previous post on this, forgive me.
> Just thought you-all might appreciate a heads-up.

Encrypt your provisioning system if the phone supports it.  I had a 
cable/voip service provider who HTTPS provisioned by MAC without 
encryption and the provisioning URL was stored, unlocked, in the ATA. 
Had I been slightly more nefarious, I could have walked the the 
provisioning tree nice and slow and easily grabbed everyone's SIP 
credentials in the clear.

No hacking or cracking was involved.  The ATA doubled as the NAT router 
they handed out and gave the admin password out freely.

More information about the asterisk-users mailing list