• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Security vulnerability of Cisco SPA VoIP adapters/phones

Status
Not open for further replies.

eagle2

Platinum Partner
Intermediate Cert.
Joined
Apr 27, 2011
Messages
1,082
Reaction score
14
It is possible to generate fraud traffic via Cisco/Linksys SPA VoIP adapters/phones either modifying settings like forward all calls or dialplan. For some reasons Cisco/Linksys SPA devices are vulnerable to hacks, I suppose bot-type brute-force password attacks or lack of admin or user password (but not my SPAs). Thus all incoming calls are forwarded to expensive destinations. Suspect of bots into local network coming also from call attempts logs like *9100, *9101, ... , i.e. intercom calls to all extensions till hacked SPA is found. Typically some Israeli numbers are called (00972...), but also other destinations may appear.

Any suggestions / experience ?
 

Attachments

  • log.png
    log.png
    25.8 KB · Views: 416
  • log1.png
    log1.png
    33.3 KB · Views: 414
I suppose that anything is possible. Have you actually confirmed that a particular SPA device was modified, or is this just a suspicion at this point?
Do you use an Admin, or User password on your devices? I would recommend setting both on the ATA's and, at least the Admin password on the SPA VoIP phones.
If these use an internal IP (not a remote extension with a public IP), how do you suspect that someone was able to log into it? Is there a way into your network?
 
One of the SPAs had modified settings, there was no user password, but the SPA was on internal network (no public internet access to it). The other two - nothing visible neither in user setting nor in dial plan nor vertical features codes.

I guess the attack is something like described DriveBy-Farming into these articles:

https://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html
http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf
http://www.computerworld.com/s/article/9011588/Cisco_says_77_of_its_routers_open_to_drive_by_pharming_?intsrc=hm_list

I would advise all users to make their SPA admin and user passwords strong enough.



The interesting point is consequent intercom dial attempts:

*9100
*9101
...
*9109 - which effected into call redirection to number in Israel and on another SPA - to Maldives.
This looks like a vulnerability into 3CX PhoneSystem itself.

Intentionally or not the '*9' code was removed from dial codes into 3CX, I can only guess whether this might be related.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,631
Messages
748,959
Members
144,746
Latest member
gamingpro2131
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.