Unauthorized international calls from my GV account
infin8loop:
Quote from: RonR on May 13, 2012, 02:46:39 pm
Consequently, if port 5060 can reach your PC from the Internet (due to forwarding, DMZ, no router, whatever), anyone who figures out your OBiAPP for PC OBiTALK number can register their SIP client and make calls using your OBi.
Could the OBiAPP for PC Properties -> Advanced -> SIP Port be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders? Of course all your internal clients would need to point to the new port.
Unfortunately I'm not in a position to test this at the moment.
RonR:
Quote from: infin8loop on May 13, 2012, 03:39:46 pm
Could the OBiAPP for PC Properties -> Advanced -> SIP Port be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders?
Obihai doesn't give the user any way to configure OBiAPP for PC. It's force-fed settings from the OBiTALK Web Portal with no user accessible options.
Taz1004:
Quote from: RonR on May 13, 2012, 04:07:53 pm
Quote from: infin8loop on May 13, 2012, 03:39:46 pm
Could the OBiAPP for PC Properties -> Advanced -> SIP Port be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders?
Obihai doesn't give the user any way to configure OBiAPP for PC. It's force-fed settings from the OBiTALK Web Portal with no user accessible options.
Then is it your suggestion not to use OBiAPP? And perhaps I didn't read all the fine prints but are its users being informed of this security risk?
As for my incident, series of 0 minute calls to random similar numbers doesn't seem like it's done by someone who just likes to use my account to make international calls.
RonR:
There's basically no documentation on any of the OBiON/OBiAPP products. I don't believe the security risk has ever been discussed or disclosed. Obihai could certainly reduce the risk by requiring a password from the SIP client in order to register with OBiAPP for PC.
Do you use a router? Do you have its DMZ enabled to your PC or do you have port 5060 forwarded to your PC? Not using a router or having port 5060 open would facilitate an outsider piggy-backing on your OBiAPP for PC.
The world is infested with automated SIP scanners looking for systems to exploit and make free phone calls through. You need to be aware and vigilant.
An alternative to using OBiAPP for PC and the OBiTALK Service would be to have your SIP client(s) communicate directly with your OBi using Single-Stage Dialing Through Any OBi Trunk Using SIP. No passwords are used, but you can limit SIP access to the OBi by IP address using:
Service Providers -> ITSP PRofile x -> SIP -> X_AccessList
Taz1004:
Yes I have port 5060 open and I'm keeping it open to duplicate the results. I wish there's better way to test this than to wait for someone to attack my router.
But then if someone attacked through port 5060 which is routed to my PC with OBiAPP, shouldn't the softphone (3CX) on my PC show these calls on its history? Why are these calls only showing up on my OBi100? This is the part I don't understand.
Navigation
[0] Message Index
[#] Next page
[*] Previous page