/weblog/asterisk-pbx-security-advisory

FBI's Asterisk PBX Security Advisory

Monday, December 08, 2008

On Friday, December 5th, 2008, the Internet Crime Complaint Center, part of the Federal Bureau of Investigations in the United States, issued a warning about an Asterisk Open Source PBX vulnerability being exploited for vishing purposes by criminals.

The Intelligence Note says the FBI has information concerning a new technique to conduct auto-dialer or "vishing" attacks through an Asterisk installation. Without describing the vulnerability or which versions of Asterisk could be at risk, the note warns that it can be exploited by cyber criminals (not to be confused with bank robbers and other ordinary criminals) to use an Asterisk system with an autodialer to make thousands of vishing phone calls within an hour.

A vishing attack can be described best when scammers use a specially built VoIP system that can originate calls and route those calls through an account on a legitimate Asterisk system in order to directly dial the scammer's victims.

Digium, the company that maintains the Asterisk code, thinks the FBI might be referring to a vulnerability found in Asterisk 1.4.18 and other branches reported by MuSecurity on March 18. If properly exploited, the vulnerability would allow an attacker to take over the account of one individual and make thousands of calls in an hour. A Digium spokesperson notes that the flaw affects older versions of Asterisk but not the last version, 1.6.

I have recently dissected exactly the attack that the FBI describes in their bulletin and I do believe that this has less to do with a security flaw in Asterisk and more of an issue of lack of VoIP/Asterisk administrative knowledge. I state this because unlike Digium's guess, I have seen this attack pulled off on an Asterisk system greater than 1.4.18. The attack was successful only because of a very weak password on a SIP account.