This document discusses how to make an Asterisk system more secure. It begins by explaining that PBX systems are targets for hackers and how they can find unsecured systems. It then provides recommendations for securing the physical device, operating system, network, Asterisk configuration, SIP, and dialplan. Resources discussed include taking Asterisk security courses, reviewing the Asterisk wiki for security articles, keeping systems updated, and using dedicated VoIP security products to monitor for attacks.

1. Making your Asterisk System Secure
Who is out there looking to attack your PBX?
How do they find it?
How can you protect your PBX
PRESENT BY:
ERIC KLEIN
SR. CONSUL TANT

2. /home/ericlklein/.finger
• NEW GRANDFATHER (PICTURES UPON REQUEST)
• VOIP FRAUD PREVENTION EVANGELIST
• STARTUP ADVISOR AND ENTHUSIAST
• AUTHOR, BLOGGER FOR TECHNOLOGY AND
TRAVEL
• AMATEUR PHOTOGRAPHER AND CHEF

3. Ok, just 1 picture

4. 2013
GLOBAL FRAUD SURVEY
RESULTS

5. CFCA Global Fraud Key Findings
Global Fraud Loss:
 2011 $40.1 Billion (USD) annually
 2013 $46.3 Billion (USD) annually
Top Fraud types 2011
 Compromised PBX/Voicemail $4.96 Billion
 Internal/Employee Theft $1.44 Billion
Source: www.cfca.org/fraudlosssurvey/
The 15% increase from 2011 is a result of
increased fraudulent activity targeting the
wireless industry.
2013
$10.03 Billion
$2.53 Billion
*Notes:
 In 2011 the Global Fraud Loss Estimate was recalibrated to include the sizes of the CSPs being surveyed.
 In 2013 fraud classifications were divided into methods and type categories

6. Source: www.cfca.org/fraudlosssurvey/

7. Why They Attack

8. How it Works
Hackers sign up to lease premium-rate phone numbers, often used
for sexual-chat or psychic lines, from one of dozens of web-based
services that charge dialers over $1 a minute and give the lessee a
cut. In the United States, premium-rate numbers are easily
identified by 1-900 prefixes, and callers are informed they will be
charged higher rates. But elsewhere, like in Latvia and Estonia, they
can be trickier to spot. The payout to the lessees can be as high as 24
cents for every minute spent on the phone.
Hackers then break into a business’s phone system and make calls
through it to their premium number, typically over a weekend,
when nobody is there to notice. With high-speed computers, they
can make hundreds of calls simultaneously, forwarding as many as
220 minutes’ worth of phone calls a minute to the pay line. The
hacker gets a cut of the charges, typically delivered through a
Western Union, MoneyGram or wire transfer.
In part because the plan is so profitable, premium rate number
resellers are multiplying rapidly. There were 17 in 2009; last year
there were 85
www.nytimes.com/2014/10/20/technology/dial-and-redial-phone-hackers-stealing-billions-.html

9. Who Pays?

10. Who is Responsible for Losses
from Hacks?
In almost all cases the customer is contractually
responsible for losses from a hacked system.
Major carriers have sophisticated fraud systems in
place to catch hackers before they run up false six-figure
charges, and they can afford to credit
customers for millions of fraudulent charges every
year. But small businesses often use local carriers,
which lack such antifraud systems. And some of
those carriers are leaving customers to foot the bill.

11. Rare exception: Frip Finishing vs.
Voiceflex
Frip Finishing of Leicestershire was hacked over
Halloween weekend of October 2011
Internet hackers infiltrated Frip’s PBX and made
10,366 calls international phone card calls creating a
bill of £35,000 – most to a premium telephone
number in Poland
Judge David Grant rejected arguments the company
had failed to adequately maintain the security of its.
On the court’s interpretation of the contract, Frip
was only obliged to pay for calls that it had actually
made.
http://commsbusiness.co.uk/features/halloween-bill-shocker/

12. Phone Hackers Dial and Redial to Steal
Billions
In a weekend last March Foreman Seeley
Fountain Architecture, (in Norcross, Ga.)
was hack for $166,000 worth of calls to
premium- rate telephone numbers in
Gambia, Somalia and the Maldives.
www.nytimes.com/2014/10/20/technology/dial-and-redial-phone-hackers-stealing-billions-.html

13. Need to Change the Laws
The law is not much help, because no regulations
require carriers to reimburse customers for fraud the
way credit card companies must. Lawmakers have
taken the issue up from time to time, but little
progress has been made.

14. What to watch for

15. Something New Has Started
Mysterious fake mobile
phone towers discovered
across America could be
listening in on unsuspecting
callers.
They were discovered by
people using a heavily
customised Android device
called the CryptoPhone
500.
"They can listen to all of your voice calls and they can
grab all of your text” said Buzz Bruner of EDS
America.
Sources:
http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-intercepting-your-calls
http://www.myfoxdc.com/story/26610194/tech-company-finds-mysterious-fake-cell-towers-in-dc-area

16. Detected in Many Locations
During a road trip from Florida to North Carolina and he found eight
different interceptors on that trip.
After publication an
interceptor was detected
near the vicinity of
South Point Casino in
Las Vegas.
Several of the masts
were situated near US
military bases. he
towers are located near
the White House, the
United States Capitol
and the Supreme Court.
"Whose interceptor is it? Who are they, that's listening to calls around
military bases? Is it just the US military, or are they foreign
governments doing it? The point is: we don't really know whose they
are.“ - Les Goldsmith, chief executive of security firm ESD America

17. Detection is Hard
“If you've been intercepted, in
some cases it might show at the
top that you've been forced
from 4G down to 2G. But a
decent interceptor won't show
that,” says Goldsmith. “It'll be
set up to show you [falsely] that
you're still on 4G. You'll think
that you're on 4G, but you're
actually being forced back to
2G.”
Some devices can not only capture calls and texts, but even
actively control the phone and send spoof texts.

18. How they find you

19. More Examples from Shodan
Remember that last year someone in the
room was able to hack a Polycom phone
within 30 sec of it being displayed via
Shodan page – Default Passwords are a
problem.

20. Security Resources from

21. Take the updated Asterisk
Advanced Class for the
basics.
Asterisk Security
Considerations

22. Copyright © 2014 Digium, The Asterisk Company 22
Goals
• Security overview
• Survey of common threats
• Layer-by-layer security and best practice
suggestions
– physical
– OS
– network
– Asterisk
– SIP
– dialplan
• Resources

23. Look at the Asterisk Wiki

24. Asterisk Security Framework
Article by Malcolm Davenport
Attacks on Voice over IP networks are becoming increasingly
more common. It has become clear that we must do
something within Asterisk to help mitigate these attacks.
Through a number of discussions with groups of developers in
the Asterisk community, the general consensus is that the best
thing that we can do within Asterisk is to build a framework
which recognizes and reports events that could potentially
have security implications.
Discussion has subpages for:
 Security Framework Overview
 Security Event Generation
 Asterisk Security Event Logger
 Security Events to Log
 Security Log File Format
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Framework

25. Secure Calling Specifics
Article by Malcolm Davenport
Asterisk supports a channel-agnostic method for
handling secure call requirements. Since there is no
single meaning of what constitutes a "secure call,"
Asterisk allows the administrator the control to
define "secure" for themselves via the dialplan and
channel-specific configuration files.
Article includes explanations and examples for:
 Channel-specific configuration
 Security-based dialplan branching
 Forcing bridged channels to be secure
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics

26. Secure Calling Tutorial
Original tutorial by Malcolm Davenport, last modified by
Rusty Newton Transport Layer Security (TLS) provides
encryption for call signaling. (1.8 and above)
Tutorial outline:
 Overview
 Part 1 (TLS)
Keys
The Asterisk SIP configuration
Configuring a TLS-enabled SIP peer within Asterisk
Configuring a TLS-enabled SIP client to talk to Asterisk
Problems with server verification
 Part 2 (SRTP)
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

27. Pay Attention to Vendor
Warnings

28. FreePBX
Very good at notifying of potential problems
and regular updates:
Pay attention to the FreePBX dashboard for
update notifications
 Critical FreePBX RCE Vulnerability (ALL Versions)
We have been made aware of a critical Zero-Day Remote
Code Execution and Privilege Escalation exploit within the
legacy “FreePBX ARI Framework module/Asterisk
Recording Interface (ARI)”. This affects any user who has
installed FreePBX prior to version 12, and users who have
updated to FreePBX 12 from a prior version and did not
remove the legacy FreePBX ARI Framework module.
http://www.freepbx.org/node/92822

29. Watch out for OS Level Alerts
Shellshock on
Shellshock, also known as Bashdoor, is a family of
security bugs (with 6 CVE's filed at the time of this
page) in the widely used Unix Bash shell, the first of
which was disclosed on 24 September 2014. Many
Internet daemons, such as web servers, use Bash to
process certain commands, allowing an attacker to
cause vulnerable versions of Bash to execute
arbitrary commands. This can allow an attacker to
gain unauthorized access to a computer system.
http://wiki.centos.org/Security/Shellshock

30. Protect Your System
Watch for and install regular updates
Do not ignore the OS updates and fixes – Run Yum
update at least quarterly.
Always change the default user names and
passwords
Keep up on the news and new attacks – Inside fraud
and Phishing will remain big problems for years to
come.

31. VoIP Security Products
ONES TO LOOK AT AND SEE WHAT BEST FITS
YOUR NEEDS

32. Regular Firewall
Palo Alto firewalls have known problems with SIP
and SIP ALG, calls can complete but no audio (media
channel).
Checkpoint Firewalls work fine with SIP.
Fail2Ban can still cause additional problems with
triggering massive whois processes that take a lot of
CPU resources. (Need to kill PID for the process –
sometimes you need to kill multiple PIDs).

33. Single PBX or Phone Level
New products have come out in the past few years to
protect SIP at the phone or enterprise PBX level.
Coordinate the install with your ITSP, as there may
be configuration issues to be managed (ports to
open, NAT, etc.).

34. SIP Threat Manager
STM is installed in front of any SIP
based PBX or gateway offering several
layers of security against numerous
types of attacks. Block specific IPs or
countries, protect your PBX against
hackers trying user names and
passwords, someone is trying to flood
your PBX with a DDos attacks? No
problem!
Using the SNORT based Real Time
Deep packet inspection engine, our
STM analyzes each SIP packet going to
your phone system, identifies the
malicious and abnormal ones blocking
the originating IP.

35. Firewall Example from Allo
On Youtube: http://www.youtube.com/watch?v=iEwfH5j9ZfE

36. μFirewall
Using a revolutionary, patent
pending process, it identifies and
prevents toll fraud on a premise-based
IP PBX before it happens:
 Analyzes SIP packets through deep packet
inspection
 Stops abnormal SIP protocol usage based
on pre-determined parameters
 Prevents SIP denial-of-service attacks
 Quietly drops malicious SIP packets rather
than responding with an error to help
prevent continued attacks
 Neutralizes SIP attacks while they are
occurring rather than identifying attacks
after the fact

37. PHPARI
ARI i s a mind bl owing jump f o r t r adi t i ona l a s t e r i s k int e g r a t o r s .
Our obj e c t i v e i s t o c r e a t e a s impl e onl ine eng ine , tha t wi l l a l l ow
f o r p e op l e t o de v e l op sho r t s t a s i s /ARI a p p l i c a t i ons , e i the r on
the i r own s e r v e r s o r on a ho s t ed ins t anc e - and e xpe r iment wi th
how ARI wo r k s .
The s andbo x a l l ows y ou t o e xpe r iment wi th ARI and PHPARI ,
wi thout a ne ed t o a c tua l l y s t a r t c oding the ent i r e s t a s i s
appl i c a t ion, but a c tua l l y e xpe r iment ins ide s e l f c ont a ined c ode
snippe t s - v e r y much l i k e tha t J a v a s c r ipt t o o l s on the ne t .

38. Check out our Hackathon Project
Check it out (and vote for it) at:
http://astriconhackathon.challengepost.com/submissions/28
916-asterisk-ari-sandbox

39. Thank You
CONTACT ME AT:
Eric.Klein@greenfieldtech.net
www.greenfieldtech.net