NOTE: The attacks mentioned below are equally targeted at Linux, Mac and Windows. SIP attack vulnerabilities are the same for all of them.
Your Windows PBX is just waiting to be hacked! I'm not kidding. I happen to be on a security kick right now. The other day I was monitoring the incoming SIP traffic on a network. Guess how long it went until some unknown IP address was trying to login to the PBX? Less than 10 minutes! In another case a small business using a voip phonesystem got a call from their phone company asking if they really wanted to be making calls to Nigeria?!!
Windows based phone system vendors are also becoming aware that security is not just "feature" to tick off and list along with hundreds of others but a core pillar of a robust communication solution.
3CX issued a big security fix for v9 of the 3CX phone system at the beginning of September to address some urgent vulnerabilities. According to 3CX "it is very important that you install this update asap". This is veiled language to mean if someone fires up SipVicious and points it at your unpatched 3CX PBX it can bring it to a crawl and render it unusable. Get patched.
pbxnsip has been paying quite a bit of attention to security for some time. Or as they put it "Security was not an afterthought and focused on since day 1." You can read more on pbxnsip security features here. Automatically blocking malicious IP addresses attempting to hack SIP passwords has been in place since v4.0. Thorough security breach notification system is in place via email notices, snmp or syslog. Since pbxnsip is a great fit for the SMB as well as large hosted implementations it is not surprising the focus on security is high.
Your Windows PBX is just waiting to be hacked! I'm not kidding. I happen to be on a security kick right now. The other day I was monitoring the incoming SIP traffic on a network. Guess how long it went until some unknown IP address was trying to login to the PBX? Less than 10 minutes! In another case a small business using a voip phonesystem got a call from their phone company asking if they really wanted to be making calls to Nigeria?!!
Windows based phone system vendors are also becoming aware that security is not just "feature" to tick off and list along with hundreds of others but a core pillar of a robust communication solution.
3CX issued a big security fix for v9 of the 3CX phone system at the beginning of September to address some urgent vulnerabilities. According to 3CX "it is very important that you install this update asap". This is veiled language to mean if someone fires up SipVicious and points it at your unpatched 3CX PBX it can bring it to a crawl and render it unusable. Get patched.
pbxnsip has been paying quite a bit of attention to security for some time. Or as they put it "Security was not an afterthought and focused on since day 1." You can read more on pbxnsip security features here. Automatically blocking malicious IP addresses attempting to hack SIP passwords has been in place since v4.0. Thorough security breach notification system is in place via email notices, snmp or syslog. Since pbxnsip is a great fit for the SMB as well as large hosted implementations it is not surprising the focus on security is high.
This email always gives me a warm sense of security. ;-)
I did a quick search of the Windows-based Yeastar BizPBX Administrator manual and the word security came up 3 times and never in relation to SIP attacks. A quick search of the 3CX phone system admin manual turns up 2 references to security. (I was a little surprised by that) Another Windows PBX from PCBest had no references to security in their manual. Contrast this to pbxnsip/snomONE's admin manual with no less than 25 references to security.
What can you do?
-Absolutely use secure SIP passwords
-Turn on PBX features to fend off SIP hacker attacks with (such as auto block IP address)
-Delete unused test extension accounts that aren't secured
-Have secure web users portal logins
-Limit registrations per extension to one-Use secure SIP trunk passwords as well.
-Become familiar with a tool like sipvicious (links below)
-STAY ON MAINTENANCE for your PBX & keep it updated so you don't get taken down.
With phone system and communication solutions becoming easier and easier to implement and administrate the possbility that some business owner will install a phone system and have it in a very vulnerable state is highly possible. After a $500 SIP trunk bill for calls to Timbuktu or a phone system that is brought to crawl on your busiest day of the year because of DOS --security gets front top attention!
Is there anymore security measures you would add to this list? If so please comment below!
(aka Freindly Scanner)
One of my favorite tricks is to use Ultra High Security Password Generator (https://www.grc.com/passwords.htm) for passwords.
ReplyDeletethanks for that idea. This can be a pain for provisioning phones etc. and I guess inconvenience versus security needs to be weighed.
ReplyDeleteOnce again thanks for your input!
I would like to comment...
ReplyDeleteMath, why didnt you mention asterisks aswell.
It seems that Snom 1 is VERY safe.
Did you check in the forums of snom 1. Beacuse I see your name always popping up and it seems that you are hiding the real reality...
Yes it is very easy to block and IP. But the reality with snom 1 is the following (which Mathlandis did not say)
Answer to this is simple :
1) 99% CPU load. (Tell me how can a user open the login form in Snom1 let alone answer calls)
2) Bad Audio Quality. In Voip Providers / Gateways and so on.
3) Takes ALOT of Bandwith :)
So regarding "Security was not an afterthought and focused on since day 1."
I think you got a little bit confused, Math
Hi Michael,
ReplyDeleteQ-why not mention asterisk?
This is a WindowsPBX blog. If there is a good windows asterisk--I want to know about it!!
Q-snom ONE is very safe
Yes.
Q-name popping up...
A-Yes, my name pops up related to Windows PBX's. I also contributed 2000+ posts to 3CX forums & wrote a book on 3CX & was the 1st 3CX Premium Partner in the USA. If you follow this blog there is no hidding that we are also a reseller and fan of snom ONE. (the product is good) So yes, my name does come up in relation to snom ONE & 3CX. ;-) We do consulting for both and no attempt to hide. ;-)
Q-Why 99% load, bad quality, lot of bandwidth on snom ONE?
A-We have pbxnsip/snom ONE implemented in many locations with no 99% load, bad or bandwidth issues. Just installed 175 extension system yesterday and processor is at -5% under normal load!
So if there are issues with your specific system lets take it up on the forums. ;-)
Take care,
matt
Q-why not mention asterisk?
ReplyDeleteMy sincere apologies, I misunderstood the header of your article/blog "Someone Is Attempting to Hack Into Your Windows (or Linux) Phone System Right Now"
I thought you missed commenting about asterisk too...
Regards