Old Techniques Being Used to Hack Out-of-Date Asterisk PBXs -- 5 Ways to Protect Yourself

Humbug Telecom Labs has identified recent hacks using some very old techniques. A few recent instances appear related to the CDR XSS security bug in Asterisk (News - Alert) PBXs that was fixed a few months ago and that was previously handled by FreePBX.

Many Asterisk integrators do a fairly dirty job upgrading to the latest versions. They usually download a tool like Elastix (News - Alert) or trixbox, install it, configure it and are done with it. In these recent cases, the hacks were successfully executed on systems that were running Asterisk 1.2.X and early 1.4.X versions. If your integrator doesn’t care to upgrade your system (leaving left port UDP (News - Alert)/5060 and TCP/80 open to the world), some form of flat worm can crawl up and bite the system from that area.

If you have a really old Asterisk system (Asterisk 1.2.X, Old trixbox, Asterisk@Home, etc) – here are some recommendations on how to protect yourselves from these attacks:

1. Allow access to port UDP 5060 only to authorized systems – If your system is for internal use only, there is no use of allowing access from the world to the UDP/5060 port. Open access from your providers only, that should protect you at the preliminary level.
2. Mobile workers should access via a VPN – it may be a hassle, but if you have mobile clients such as soft phones, have a VPN installed on the person’s computer or cell phone – even a simple PPTP or L2TP VPN will do in most cases.
3. Disable guest SIP access to your Asterisk system – this is always a good practice. If you use services such as DIDX, DIDWW or other DID providers around the world and you are allowing them access via the SIP Guest access, don’t be surprised if other people come in the front door as well.
4. Accountability is everything – when a hacker hacks in, once they exploit the system, they’ll do their best to erase their tracks. CDR records are not bulletproof; using the same attack, they can be deleted and manipulated. Utilizing an external tool, such as Humbug or an external syslog facility, can assist you in accounting for the hack attempt and proving to your carrier that you were robbed – and to your insurance company.
5. Update your system – well, don’t go about and install every little Asterisk patch that exists. If your system works for you and there are no security fixes, usually that is not required. If a security fix was issued, do your best to update your system as fast as possible.

The best advice would be – stay alert and vigilant. The fact that you are not paranoid, doesn’t mean that they are not out to get you. If you put a server onto the internet with a password of 123456, it takes less than 12 hours for the server go get hacked/hijacked and utilized.

TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.

Edited by Rich Steeves