As the VoIP industry grows and the ITSP around the world rapidly expand their networks of customers, there is also an increase in fraudulent activity in VoIP. Attackers attempt to gain access to the ITSP network by using the credentials of legitimate customers, and then inject traffic to expensive destinations such as premium-rate telephone numbers and mobile networks in developing countries.
PortaSwitch provides carrier-grade security and it is impossible for an unauthorized party to obtain customer credentials except by guessing a password. That would require trying all possible text combinations (so-called “brute-force password cracking”), and since PortaSwitch auto-generated passwords are “strong” (contain at least 8 digits and do not contain any easy-to-guess text strings such as qwerty), the process of cracking the password would require an extremely high number of attempts.
There have been a few recent security incidents though, where attackers obtained the required credentials using a security weakness in end-user equipment such as IP phones. Many IP phones contain a built-in configuration web server, used to remotely manage phone settings. The Grandstream HT502 phone provides such a configuration web interface with access to this interface protected by an administrator password.
The default administrator password for this user interface is well-known, so if a phone with a default configuration is connected to the Internet using a public IP address, anyone (including an attacker) can log in there and see the configuration settings. As shocking as it may seem, the clear-text password is openly displayed on this interface along with the other required credentials (SIP proxy address and username). Therefore an attacker can immediately see the password and use it on any VoIP equipment they own.
Currently only Grandstream HT502 and GXW-4008 phones are confirmed to have this vulnerability – but hackers may use this approach to retrieve the credentials from any other end-user system (such as Asterisk server or Trixbox), where the default administrator login is either well known or not secure enough.
Customers are urged to:
- Immediately review the activity of end-users using the affected models of phones
- Check whether this problem may exist in other third-party IP phones used on your network
- Use IP phone auto-provisioning tools in PortaBilling to allow easy management of IP phone configuration and eliminate the need for enabling the IP phone’s internal web-server
- Ensure that the administrator’s default password for the phone’s built-in web interface is frequently changed (either using PortaSwitch phone auto-provisioning or manually)
In order to proactively fight VoIP fraud attempts, PortaOne is deploying additional tools to analyze suspicious activity on your network. These tools are available for all supported PortaOne customers running PortaSwitch MR21 or any later version as a part of PortaCare service at no extra cost.
Please contact the PortaOne support team for more details.