Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Monthly Archives: January 2011

Another day, another VoIP fraud (just 13 000 USD..)

This time it was h.323 on a Cisco CallManager which was exploited in some ways. My personal guess is just bad configuration, but maybe there also is a bug in it as well.From a mailing list:

A company we work closely with, but is not our customer, had their Cisco
Call Manager hacked due to some h.323 vulnerability that I don’t have
full details on yet.  There were a number of calls placed to:


My findings indicate these are Globalstar satellite numbers that cost
somewhere between $4 and $7/minute to call, depending on carrier.  The
victim’s carrier is billing them at $6.50.  The total bill for the event
is around $13k.  This is a small company that can’t really afford this.

If I had a small company and connected to a carrier, I would demand credit limits. It is the same as I would not have a 1 million credit limit on my credit cards. Check with your VoIP carrier that he has effective credit limits!

And another 100 000 dollar fraud this weekend..

From one of the mailing lists:

Recently we have been hit by the attackers during the weekend causing more
than 100 K USD bill
They were dialing payphone type numbers” dial to win” by compromsing one of
our DID number.
Mostly calls were placed to Lithuania, and sierraleone.
But guys buckle up, there are some gangs using sophisticated mechanisms to
get into IP PBX systems
Remove all NAT with local IPs, block SIP ports and h.323 ports, if u r using
cisco upgrade to v15.12T.
add trusted gateway list.

One way to document and block hackers, is to implement a VoIP Abuse list.
Have a look at VoIP Abuse Blacklist implentation.

But the Romanians keep hacking..

32 people was apprehended in Romania, but the VoIP hacking continues from this country. Low wages, highly educated people and not too many jobs often forces people to start hacking, combined with low risk of being caught.

This was from IP caught in a SIP honeypot belonging to Honeynet Project.

REGISTER sip:IP.removed SIP/2.0
Via: SIP/2.0/UDP;rport;
From: <sip:1234@IP.removed>;tag=3202
To: <sip:1234@IP.removed>
Call-ID: 14862
Contact: <sip:1234@>
Max-Forwards: 70
User-Agent: Linphone/ (eXosip2/3.3.0)
Expires: 3600
Content-Length: 0

Normal procedures is to use SIPvicious to do scanning, then use Linphone or other softphone to test out if you can dial out on the discovered IP PBX.

VoIP admins, do a pen-test on your own system and lock it down. This is, sadly, just the start….