Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Security vulnerability of Cisco SPA VoIP adapters/phones

Discussion in '3CX Phone System - General' started by eagle2, May 18, 2014.

Thread Status:
Not open for further replies.
  1. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    It is possible to generate fraud traffic via Cisco/Linksys SPA VoIP adapters/phones either modifying settings like forward all calls or dialplan. For some reasons Cisco/Linksys SPA devices are vulnerable to hacks, I suppose bot-type brute-force password attacks or lack of admin or user password (but not my SPAs). Thus all incoming calls are forwarded to expensive destinations. Suspect of bots into local network coming also from call attempts logs like *9100, *9101, ... , i.e. intercom calls to all extensions till hacked SPA is found. Typically some Israeli numbers are called (00972...), but also other destinations may appear.

    Any suggestions / experience ?
     

    Attached Files:

    • log.png
      log.png
      File size:
      25.8 KB
      Views:
      416
    • log1.png
      log1.png
      File size:
      33.3 KB
      Views:
      414
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,113
    Likes Received:
    329
    I suppose that anything is possible. Have you actually confirmed that a particular SPA device was modified, or is this just a suspicion at this point?
    Do you use an Admin, or User password on your devices? I would recommend setting both on the ATA's and, at least the Admin password on the SPA VoIP phones.
    If these use an internal IP (not a remote extension with a public IP), how do you suspect that someone was able to log into it? Is there a way into your network?
     
  3. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    One of the SPAs had modified settings, there was no user password, but the SPA was on internal network (no public internet access to it). The other two - nothing visible neither in user setting nor in dial plan nor vertical features codes.

    I guess the attack is something like described DriveBy-Farming into these articles:

    https://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html
    http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf
    http://www.computerworld.com/s/article/9011588/Cisco_says_77_of_its_routers_open_to_drive_by_pharming_?intsrc=hm_list

    I would advise all users to make their SPA admin and user passwords strong enough.



    The interesting point is consequent intercom dial attempts:

    *9100
    *9101
    ...
    *9109 - which effected into call redirection to number in Israel and on another SPA - to Maldives.
    This looks like a vulnerability into 3CX PhoneSystem itself.

    Intentionally or not the '*9' code was removed from dial codes into 3CX, I can only guess whether this might be related.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.