Allworx Technical Support Forum

For the first time, our Allworx 6x system was hacked and made to initiate fraudulent calls internationally. Our SIP trunk provider, bandwidth.com, caught the error and shut down the calls which were initiated early on a Saturday. I happened to be in the office working on Saturday and Sunday worked on the issue when I saw the service was clamped on Sunday.

The very short version of the story is that the hacker spoofed one of our generic sip phones and remotely initiated a large number of international calls.

We are on the most current Allworx firmware as I write this article and we have used this Allworx 6x system for many years at this point.

We use a Polycom 6000 and 5000 respectively for two conference rooms. We don’t believe the hackers gained access to the phones directly or to the Allworx 6x directly. It appears that they were able to remotely initiate calls to the Allworx using the Polycom 6000′s login username and password. We created more robust usernames and passwords for all of our generic sip phones. The login usernames changed from the SIP registration data such as 5111 to a longer, descriptive name. The passwords went from a few digits to many digits. This doesn’t have any effect on the use of the phone so there is no reason to choose a simple password here. The passwords were changed on the Polycom speakerphones and similar devices and the Allworx 6x password was changed.

After emailing with our rep regarding the issue, a very simple question came up. Can’t we just block external calls for these generic sip phones? If we were able to associate the SIP registration with an IP, MAC address or even just to say the call must be initiated from within the local network the problem would be immediately solved. In fact, this is so simplistic, one has to ask why isn’t this security step 2 right after the username and password? Such an omission seems negligent unless I am missing something.

From what I currently understand, it appears that the Allworx box is set up to accept remote calls for a generic sip phone given the proper credentials with no concern for the validity of the source. This means that any hacker can sit and hammer away at your Allworx box using brute force methods to gain access to calling abilities on your call system. Some INVITES were rejected based on our logs but clearly the hackers were able to work around the infrequent rejections.

www.jamesballenger.com/allworx-security-vulnerability/

We also got hit via international fraud calls via our non-allworx sip phones. These hackers are pretty savvy. The fraud experts I spoke with tell me this is a major underground industry, especially the Jamaica call scam where folks don't realize the domestic area code number used for Jamaica can incur international rates. Apparently the receiving party gets half of the cost of the call (kind of like a 900 number), so it is a major money maker.

By the way, nice write up James. And I like your other writeup on upgrading to a larger compactflash card.

I have been pretty confused with the passwords on the allworx pbx. I see passwords for both the users and the handsets. I'm guessing from what you're saying the Allworx phone gets its own generated strong password when the phone is added to the PBX, and so is not as susceptible as the non-allworx (generic sip phone) where you need to create your own password in the handset settings? Does it matter what the user password is, or is this only used for checking voicemail, and not sip authorization?

For your question, "Can’t we just block external calls for these generic sip phones?" I believe the answer is yes, via a Dialing Privileges group (Phone system > Dial Plan > Dialing Privileges Group). Simply create a new dial plan by copying an existing one. You could call it remote sip phones. Then under blocked numbers for that dial plan enter 1 or anything else you want to block. This will cause any calls starting with 9, 1- to be blocked. Now all you need to do is go to your generic sip handsets and put them in that dialing privileges group. You may also want to block NANP countries and territories if your users don't intend calling them: https://en.wikipedia.org/wiki/North_Ame ... erritories
This might be a good thing to add to your other dial plans as well, since it well prevent calling to locations such as Jamaica.

For us, dialplans and changing of passwords will only get us so far. Sometimes passwords change or mistakes happen. I think the catchall is to place a 3rd party firewall in front of the Allworx that only forwards traffic to the Allworx from trusted party (ie remote phones or voip phone carrier) based on IP address of the source. This requires switching the network mode to LAN host instead of NAT, and setting the public ip of the thirdparty firewall.

Would be great feature for the Allworx if they could add it, to specify which incoming IP addresses are allowed. Also a good feature would be the ability to disable access to sip phones from the internet if your intention is to have your sip phones locally on the LAN (not remote phones connected to the allworx via the internet).

Our phone system was hacked too. We have IT support, as we are a small non-profit and the office staff manages the system ourselves. I was going to do update the system and change any passwords (phones and system). You mention about changing from NAT to LAN and changing the public IP address to that of the 3rd party firewall. I know that we can change the NAT to LAN when we log into the system. Is that the only place where we have to make a change or are the physical connections involved. With regard to changing the public IP address to that of the 3rd party, would that mean changing the public IP address to that of the boot server? We need step by step instructions for non-IT people who do have a good understanding of computers.

ryano,

Thanks for the tips. I created a Dialing Privileges Group called restricted and put my generic sips in there and simply disallowed calling. I will move them to other appropriate groups. The Privileges Groups will also allow me to prevent some users from making international calls. However, the phones which were actually hacked need unrestricted access and to be able to call anywhere in the world. I could make them enter a pin first which would add a restriction and add security but the staff hates that option. We haven't had any further fraud and the simplest restriction would be to only allow calls from our local ip range or a defined range.