Sip account hack with Avaya IP Office

[aproost]

Currently we have had a client (with Avaya IP Office v8) that got some unexpected calls made to international numbers :

Examples :
+9609005970
+9609005346
+9609003000
+9609001300
+46317539367
+37178820061
+38761002227

From the VoiP-provider registration log we have seen that the SIP account has been used from different IP-addresses :

82.205.4.173:12840 04-12-2013 02:59:02
82.205.1.113:28895 27-11-2013 23:38:03
202.85.219.197:5062 27-11-2013 23:00:05

Is it possible to retrieve the SIP account information from the Avaya IP Office?
Some extra information :

-All accounts have had an complex password.
-The IP Office is directly connect to the internet through LAN2. With the Firewall enabled from IP Office.

 

[RodneyMcSnow]

Yes, it is possible to capture the network packets, passwords, etc from the IP Office or any other device if the IP Office, hardware firewall, session border equipment is not set-up properly. IF your ISP allowing anonymous SIP Connections with no authentication?

Have you done any penetration testing on the Network?

Does someone have remote access to the LAN Network that shouldn't?

You may wish to re-visit the set-up of the Avaya and also the LAN/WAN Network as well as any servers/computers or other devices which may have access to the network, especially if a desktop is infected with a virus.

 

[mattKnight]

>The IP Office is directly connect to the internet through LAN2

bad practice... and shouldn't be required

>With the Firewall enabled from IP Office

Better than nothing, but only just.

I'd suggest that a well implemented business grade firewall is a must. Exposing the the phone system to the web without appropriate protection is highly risky.

Check your IP routing too
you should use limited routes (/32 mask if possible) to the SIP providers service and "blackhole" anything else.



Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[mattKnight]

Change your passwords on the IP office and with the SIP provider too

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[hairlessupportmonkey]

basic practice really

you wouldn't put your PC directly on the internet, so why is an IP based phone system any different?



ACSS - SME
General Geek

 

[aproost]

I know it isn't the best practise to connect the PBX directly trought the internet.

But is it possible to retrieve the information of the SIP account, without accessing directly the IP Office?

 

[hairlessupportmonkey]

it is, but if secured behind a firewall, it makes an intruders life much more difficult.

in order to secure your SIP traffic you need to be using SSIP or an SBC.

ACSS - SME
General Geek

 

[Westi]

if you can capture the packets you can read them.
that is true for anything really especially unencrypted SIP traffic.

look also at your SIP passwords on your provider side, if they are easy to guess (1234 or something like the last 4 digits of your account name etc.) then change it and make it secure.

and of course what all the other guys said about firewall....

Joe W.

TeleTechs.ca
FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[qtelcom]

Is SSIP a feature available to IP Office (If I have a SSip provider, does IPO support a Ssip connection?)

 

[RodneyMcSnow]

You may end up needing a Session Border Controller

 

[h0lle]

If you logon with monitor you can see all the sip-extensions in the pbx, then just start bruteforce.

We had a pbx without firewall and autocreate sip-extn (bad knowledge at the time) where hackers have managed to create 4000 sip-extensions until the IPO collapsed.

 

[hairlessupportmonkey]

rel 9 supports TLS SIP Trunks.

ACSS - SME
General Geek