For the first time, our Allworx 6x system was hacked and made to initiate fraudulent calls internationally. Our SIP trunk provider, bandwidth.com, caught the error and shut down the calls which were initiated early on a Saturday. I happened to be in the office working on Saturday and Sunday worked on the issue when I saw the service was clamped on Sunday.
The very short version of the story is that the hacker spoofed one of our generic sip phones and remotely initiated a large number of international calls.
We are on the most current Allworx firmware (7.5.11.7) as I write this article and we have used this Allworx 6x system for many years at this point.
We use a Polycom 6000 and 5000 respectively for two conference rooms. We don’t believe the hackers gained access to the phones directly or to the Allworx 6x directly. It appears that they were able to remotely initiate calls to the Allworx using the Polycom 6000’s login username and password. We created more robust usernames and passwords for all of our generic sip phones. The login usernames changed from the SIP registration data such as 5111 to a longer, descriptive name. The passwords went from a few digits to many digits. This doesn’t have any effect on the use of the phone so there is no reason to choose a simple password here. The passwords were changed on the Polycom speakerphones and similar devices and the Allworx 6x password was changed.
After emailing with our rep regarding the issue, a very simple question came up. Can’t we just block external calls for these generic sip phones? If we were able to associate the SIP registration with an IP, MAC address or even just to say the call must be initiated from within the local network the problem would be immediately solved. In fact, this is so simplistic, one has to ask why isn’t this security step 2 right after the username and password? Such an omission seems negligent unless I am missing something.
From what I currently understand, it appears that the Allworx box is set up to accept remote calls for a generic sip phone given the proper credentials with no concern for the validity of the source. This means that any hacker can sit and hammer away at your Allworx box using brute force methods to gain access to calling abilities on your call system. Some INVITES were rejected based on our logs but clearly the hackers were able to work around the infrequent rejections.
For reference, here is the current list of Security Recommendations from Allworx:
Suggested Security Best Practices
Overview
One of the primary advantages of the Allworx family of products is its flexibility in configuration and settings in a way that is easy to understand. Security is an important consideration, and we are constantly striving to improve our systems to protect our partners and their customers. It is also equally imperative that you never knowingly put your customer in a situation where it is easy for fraudulent attacks to compromise their Allworx systems.
We are investigating reported instances and have seen fraudulent SIP registration attacks that search public IP addresses and gain access to either an Allworx server or, most recently, to remote Allworx handsets not installed behind a firewall. We have also received reports of recent toll fraud incidents in which fraudulent attacks take over the SIP registration of an Allworx handset attached to a public network. This document summarizes the security best practices to prevent security compromises.
What You Should Do
When installing an Allworx system, it is imperative to use the proper security settings so that hostile, unauthorized attempts to access the system do not result in situations where either remote access or the spoofing of handsets can occur. Most often, the result is unauthorized calling and toll fraud. Compromises usually start with port scans to determine if a host is a candidate for unauthorized access. Disabling the use of ports often discourages a fraudulent attack, and the attacker will move on to another IP.
Please implement the following practices when installing any Allworx system:
Server
- Update every server to the most recent patch level of either the 7.3 or 7.4 software release. For example, releases 7.3.14.8 and higher, or 7.4.10.2 and higher. These patches change each Allworx phone SIP registration passwords during the phone reboot.
- Install the server behind a firewall or connect it to the public internet using the WAN port. DO NOT connect the Allworx LAN port directly onto the public internet.
- Disable Allworx WAN services (ports) not in use.
- Change voicemail ports (SMTP and IMAP) to non-standard port numbers.
- Change all server admin, phone admin, and user passwords from the default values.
- Use strong passwords for server and phone administration pages. DO NOT use simple passwords such as “1234” or “Allworx”.
- Verify that there is no exposure of the Admin Page (Port 8080) to the Public network. DO NOT port forward directly to the LAN port of an Allworx server from the customer’s router. For remote maintenance, use the Allworx VPN. Navigate to Home > Network > VPN > modify to configure the VPN settings.
When configuring WAN interface to connect to the public internet:
- Enable the server in NAT Firewall mode, preferably with Stealth DMZ. In stealth mode, the WAN interface does not respond to “pings” from other devices.
Remote phones
Password protection is very important to avoid fraudulent attacks on remote phones. Implement the following practices when installing an Allworx remote phone:
- Use a strong password for the phone administration password. DO NOT use simple passwords such as “1234” or “Allworx”, (Home > Servers > VoIP > modify > Phone Administration Password).
- Use a strong password for the Plug ‘n’ Play Secret Key. DO NOT use simple passwords such as “1234” or “Allworx”. (Home > Servers > VoIP > modify > Plug ‘n’ Play Secret Key).
- Use proper firewall protection to connect remote Allworx phones to the public Internet. Allworx handsets provide web access to important information, including its login credentials and SIP Registration password. Phones with weak Phone Administration Passwords can easily have the SIP Registration passwords stolen.
- Disable Phone Creates via LAN and WAN Plug and Play except during phone installation.
Px Expander
- Change the Px admin password from the default value.
- Use a strong password for the Px admin password. DO NOT use a simple password such as “1234” or “Allworx”.
- Use proper firewall protection to connect remote Allworx Px Expanders to the public Internet. The Px Expander provides web access to important information, including its login credentials and SIP Registration password.
- Disable Phone Creates via LAN and WAN Plug and Play except during phone installation.
Other Considerations
Evidence from recent security incidents does not show attackers penetrating firewalls to access customer LANs or the servers/phones on customer LANs. Nonetheless, because aggressive malware/botnet/spyware attacks are known to compromise many desktop PCs, encourage customers to deploy LAN security solutions including:
- Maintaining up-to-date anti-virus/anti-malware protection on LAN systems.
- Deploying phones on VLANs to reduce opportunities to sniff SIP phone network traffic. This also improves network Quality of Service for phone traffic.
- Reporting any observed activity to Allworx Technical support immediately so we can investigate and stay in front of these malicious attempts.