NOTE: The attacks mentioned below are equally targeted at Linux, Mac and Windows. SIP attack vulnerabilities are the same for all of them.
Your Windows PBX is just waiting to be hacked! I'm not kidding. I happen to be on a security kick right now. The other day I was monitoring the incoming SIP traffic on a network. Guess how long it went until some unknown IP address was trying to login to the PBX? Less than 10 minutes! In another case a small business using a voip phonesystem got a call from their phone company asking if they really wanted to be making calls to Nigeria?!!
Windows based phone system vendors are also becoming aware that security is not just "feature" to tick off and list along with hundreds of others but a core pillar of a robust communication solution.
3CX issued a big security fix for v9 of the 3CX phone system at the beginning of September to address some urgent vulnerabilities. According to 3CX "it is very important that you install this update asap". This is veiled language to mean if someone fires up SipVicious and points it at your unpatched 3CX PBX it can bring it to a crawl and render it unusable. Get patched.
pbxnsip has been paying quite a bit of attention to security for some time. Or as they put it "Security was not an afterthought and focused on since day 1." You can read more on pbxnsip security features here. Automatically blocking malicious IP addresses attempting to hack SIP passwords has been in place since v4.0. Thorough security breach notification system is in place via email notices, snmp or syslog. Since pbxnsip is a great fit for the SMB as well as large hosted implementations it is not surprising the focus on security is high.
Your Windows PBX is just waiting to be hacked! I'm not kidding. I happen to be on a security kick right now. The other day I was monitoring the incoming SIP traffic on a network. Guess how long it went until some unknown IP address was trying to login to the PBX? Less than 10 minutes! In another case a small business using a voip phonesystem got a call from their phone company asking if they really wanted to be making calls to Nigeria?!!
Windows based phone system vendors are also becoming aware that security is not just "feature" to tick off and list along with hundreds of others but a core pillar of a robust communication solution.
3CX issued a big security fix for v9 of the 3CX phone system at the beginning of September to address some urgent vulnerabilities. According to 3CX "it is very important that you install this update asap". This is veiled language to mean if someone fires up SipVicious and points it at your unpatched 3CX PBX it can bring it to a crawl and render it unusable. Get patched.
pbxnsip has been paying quite a bit of attention to security for some time. Or as they put it "Security was not an afterthought and focused on since day 1." You can read more on pbxnsip security features here. Automatically blocking malicious IP addresses attempting to hack SIP passwords has been in place since v4.0. Thorough security breach notification system is in place via email notices, snmp or syslog. Since pbxnsip is a great fit for the SMB as well as large hosted implementations it is not surprising the focus on security is high.
This email always gives me a warm sense of security. ;-)
I did a quick search of the Windows-based Yeastar BizPBX Administrator manual and the word security came up 3 times and never in relation to SIP attacks. A quick search of the 3CX phone system admin manual turns up 2 references to security. (I was a little surprised by that) Another Windows PBX from PCBest had no references to security in their manual. Contrast this to pbxnsip/snomONE's admin manual with no less than 25 references to security.
What can you do?
-Absolutely use secure SIP passwords
-Turn on PBX features to fend off SIP hacker attacks with (such as auto block IP address)
-Delete unused test extension accounts that aren't secured
-Have secure web users portal logins
-Limit registrations per extension to one-Use secure SIP trunk passwords as well.
-Become familiar with a tool like sipvicious (links below)
-STAY ON MAINTENANCE for your PBX & keep it updated so you don't get taken down.
With phone system and communication solutions becoming easier and easier to implement and administrate the possbility that some business owner will install a phone system and have it in a very vulnerable state is highly possible. After a $500 SIP trunk bill for calls to Timbuktu or a phone system that is brought to crawl on your busiest day of the year because of DOS --security gets front top attention!
Is there anymore security measures you would add to this list? If so please comment below!
(aka Freindly Scanner)
