Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Category Archives: Uncategorized

But the Romanians keep hacking..

32 people was apprehended in Romania, but the VoIP hacking continues from this country. Low wages, highly educated people and not too many jobs often forces people to start hacking, combined with low risk of being caught.

This was from IP caught in a SIP honeypot belonging to Honeynet Project.

REGISTER sip:IP.removed SIP/2.0
Via: SIP/2.0/UDP;rport;
From: <sip:1234@IP.removed>;tag=3202
To: <sip:1234@IP.removed>
Call-ID: 14862
Contact: <sip:1234@>
Max-Forwards: 70
User-Agent: Linphone/ (eXosip2/3.3.0)
Expires: 3600
Content-Length: 0

Normal procedures is to use SIPvicious to do scanning, then use Linphone or other softphone to test out if you can dial out on the discovered IP PBX.

VoIP admins, do a pen-test on your own system and lock it down. This is, sadly, just the start….

VoIP hacking is a BIG industry! 32 people apprehended in Romania

This morning, the Directorate for Combating Organized Crime and Terrorism (DIICOT) in Romania conducted 42 raids, identifying 32 people specializing in VoIP hacking.

Numbers so far is 11,5 million euros in fraudulent VoIP traffic from this group. The group made around 10% of this amount from their premium numbers.

The main technique seemed to establish premium numbers in Sierra Leone, Somalia, Austria, Latvia, North Korea, Zimbabwe, Madagascar, Belarus, etc and cash in on calls to these destinations.

This correlates to attacks we have seen, calls trying to go to Somalia and Sierra Leone on our VoIP honeypots (but of course they were not successful).

This only confirms that there are major money in VoIP hacking and this is not single persons doing it but organized crime. I’m afraid this is just the beginning.

Original link

Link translated to English

Sandro Gauci has written more about it here

Another day, another fraud

Another day, another fraud… and there will be more… imagine your company getting hit with a 100 000 USD bill from your telco company? Who to blaim?
here is one company which did…

If you get a SIP trunk from a VoIP provider, make sure they have fraud management and credit limits!

MeshPotato gets press coverage!

The MeshPotato, the future of the Internet?

Imagine you had this technology which you only needed two devices to call to each other and get IP connection. If you got more members, only thing they needed was this device and the network would grow stronger and stronger, each member helping the network to grow in distance and robustness. Communication would be free, each member pays for their own device and this device would be a part of the network.

When the network has grown very large, there would be free management tools to map all devices to the map, giving a very good overview of the whole network and easy the further expanding.

And this is reality! The Village Telco project has spent three years making it real, creating the MeshPotato. The MeshPotato is a very low power WLAN mesh and VoIP device, creating its network while being rolled out. It uses 2,4GHz WLAN to create a mesh network and running IP and VoIP traffic over this network.
The Village Telco project uses open source tools like Afrimesh and A2Billing to create a full management and billing system, all free to download and deploy.
And all you needed to start is two MeshPotatoes. What is stopping you?
The future is bright!

VoIP Abuse project – block the scanners

People has gotten tired of the VoIP scannings. Sometimes they manage to abuse the PBX or just fill up the logs with all the attempts. So Mr. Oquendo started on a list of IP addresses and networks that should be blocked.

The VoIP Abuse Project is aimed at minimizing abuse for networks that have publicly accessible PBX’s. As a security engineer at a managed service provider, one of our services is VoIP. Throughout the course of the day, I got tired of seeing VoIP based brute force attempts that I decided to out companies who sit around and choose to do nothing about the attacks coming from their networks. As a courtesy I often take the time out of my work day to write constant emails to abuse and security desks which go nowhere.

The link:

Personally I think companies should have a white list, just enabling the IPs that you really need to allow traffic from, but that is not easy if you are a VoIP provider with clients all over the world.

Next step on this list would be to automate the whole process.

A new phrase: open sip relay

The most abuse nowadays are open SIP servers, just as the old open mail servers which spammers relayed spam through. So we will use the phrase open sip relay about the scanning going on nowadays. Nothing new, just another protocol (but with much more money in than spam when you find one… )

Open SIP Relay by my definition is: a SIP server open to send SIP messages from whoever to whoever (even channel it through the PSTN network)

Another VoIP hacking in Norway

The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.

If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.

The simplest ways is that inbound calls is routed out again if no local destination is found.  A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!

Norwegian version

English version

The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.

Using botnets to do SIP scanning

The lastest week there has been a tremendous SIP scanning from IPs all over the world latest week. The scannings are coming from a lot of IPs but the same signature, so it is probably only one person/firm behind this.

The scanning is this:

OPTIONS sip:100@X.X.X.X SIP/2.0
Via: SIP/2.0/UDP;branch=

Content-Length: 0
From: “sipsscuser”<sip:100@>; tag=01669016334862887007103185718785156498385702949

Accept: application/sdp
User-Agent: sundayddr
To: “sipssc”<sip:100@>
Contact: sip:100@
Call-ID: 022827170099429274868738305
Max-Forwards: 70
The lay-out of the OPTIONS messages is the same as in SIPVicious scannings, so the author has taken this python code and just changed the User-Agent.
And this is just the beginning….

Test your VoIP skills!

The Honeynet Project has released a real VoIP attack challenge! It is real data and YOU must find out how the hacker does the attack! Are you up for it? You will learn more about VoIP and get an understanding of the current VoIP attack methods! Go for it here! Deadline in 3 weeks!

The Chinese speaking members of the Honeynet Project has translated it even to simplified Chinese! Have fun and learn a lot!