News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Unauthorized international calls from my GV account

Started by Taz1004, May 09, 2012, 05:02:26 PM

Previous topic - Next topic

Taz1004

There are unauthorized international calls being made as I type this from my GV account to Cuba.  It's series of 0 minute and some 4~6 minute calls.  I have no idea how to contact Google to inquire about this so for now I stopped the auto recharge and changed my Google password.

And I'm not sure if this is hacking, glitch, or problem with Obi or with Google... how should I resolve this issue and get refunds (about $20 right now)

Taz1004

I just checked the last 10 calls from my Obi expert configuration and these calls indeed originated from my Obi.  I disconnected the link between my GV and Obi account and these calls stopped.  Can anyone at Obi take a look at this?

RonR

What does the OBi Call Hiistory show for these calls?  The left column is where the call originated from.  I assume it wasn't PHONE1.  Which trunk did these calls originate from?  There should be a peer number associated with it.

Taz1004

Is there call history section other than the Last 10 calls in Expert config?

In Expert config, it says

Termial ID:  OBiTALK1 -- Google Voice 1
Peer Name:  Unknown
Peer Number :  Unknown -- 005332211726
Direction:  Inbound  Outbound

RonR

Log into the OBi directly at the IP address returned by dialing ***1 (default username/password is admin/admin).

There's two columns for each call.  The left column is where the call originated.  The right calumn is where the call went.  It should be obvious where the call originated that ended up going out to Cuba via Google Voice.

It appears the calls are coming in from an anonymous OBiTALK Service user.  Post the contents of:

Voice Services -> OBiTALK Service -> InboundCallRoute

Taz1004

Below is from the InboundCallRoute

{(290906050|290936145)>(xx.):SP1},{(290906050|290936145):aa},{ph}


And looking at GV call history, it seems these calls started 6 days ago to Great Britain.  I didn't notice it as it was 5 calls back then.  Then it started to spam today and made me look into it when I got email from Google that my account is recharged.

RonR

That InboundCallRoute should only be sending calls from OBiTALK numbers 290906050 and 290936145 to SP1.  Calls coming from any other (or an anonymous) OBiTALK caller should be going to the PHONE Port.

You need to bring this to Obihai's attention as it appears there's a bug in the OBi firmware or someone has found a weakness in it to exploit.

Please report back what you find.

Taz1004


Taz1004

#8
Support wasn't much help.  They just told me to turn off OBiApp on my PC and observe.  So that's what I did and although it's only been 2 days, calls didn't occur since.  But I've turned it back on yesterday and still no international calls so I'm not sure if that was the fix or it just stopped by itself.  Maybe I'll just have to observe for longer.

I thought maybe it was because my son was using torrents and he set it to use random ports.  And maybe it chose the SIP port and that was dialing the numbers.  But thing is that his internet access is restricted to 7pm~9pm in the router.  And some of these calls happened at 4pm.  And that his torrent was set to use specific port.

I can't recharge my GV account with this kind of uncertainty.  Especially when I can't even get the funds reimbursed by either OBiHAI or Google.

RonR

OBiAPP for PC is basically a SIP server running on your PC.  It acts as a SIP-to-OBiTALK bridge, connecting SIP clients to your particular OBi.  No password is used for authentication of SIP registrations.  The only credential required is your OBiAPP for PC OBiTALK number.  Consequently, if port 5060 can reach your PC from the Internet (due to forwarding, DMZ, no router, whatever), anyone who figures out your OBiAPP for PC OBiTALK number can register their SIP client and make calls using your OBi.

infin8loop

Quote from: RonR on May 13, 2012, 02:46:39 PM
Consequently, if port 5060 can reach your PC from the Internet (due to forwarding, DMZ, no router, whatever), anyone who figures out your OBiAPP for PC OBiTALK number can register their SIP client and make calls using your OBi.

Could the OBiAPP for PC Properties -> Advanced ->  SIP Port  be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders?   Of course all your internal clients would need to point to the new port.

Unfortunately I'm not in a position to test this at the moment.
"This has not only been fun, it's been a major expense." - Gallagher

RonR

Quote from: infin8loop on May 13, 2012, 03:39:46 PM
Could the OBiAPP for PC Properties -> Advanced ->  SIP Port  be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders?

Obihai doesn't give the user any way to configure OBiAPP for PC.  It's force-fed settings from the OBiTALK Web Portal with no user accessible options.

Taz1004

Quote from: RonR on May 13, 2012, 04:07:53 PM
Quote from: infin8loop on May 13, 2012, 03:39:46 PM
Could the OBiAPP for PC Properties -> Advanced ->  SIP Port  be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders?

Obihai doesn't give the user any way to configure OBiAPP for PC.  It's force-fed settings from the OBiTALK Web Portal with no user accessible options.

Then is it your suggestion not to use OBiAPP?  And perhaps I didn't read all the fine prints but are its users being informed of this security risk?

As for my incident, series of 0 minute calls to random similar numbers doesn't seem like it's done by someone who just likes to use my account to make international calls.

RonR

There's basically no documentation on any of the OBiON/OBiAPP products.  I don't believe the security risk has ever been discussed or disclosed.  Obihai could certainly reduce the risk by requiring a password from the SIP client in order to register with OBiAPP for PC.

Do you use a router?  Do you have its DMZ enabled to your PC or do you have port 5060 forwarded to your PC?  Not using a router or having port 5060 open would facilitate an outsider piggy-backing on your OBiAPP for PC.

The world is infested with automated SIP scanners looking for systems to exploit and make free phone calls through.  You need to be aware and vigilant.

An alternative to using OBiAPP for PC and the OBiTALK Service would be to have your SIP client(s) communicate directly with your OBi using Single-Stage Dialing Through Any OBi Trunk Using SIP.  No passwords are used, but you can limit SIP access to the OBi by IP address using:

Service Providers -> ITSP PRofile x -> SIP -> X_AccessList


Taz1004

#14
Yes I have port 5060 open and I'm keeping it open to duplicate the results.  I wish there's better way to test this than to wait for someone to attack my router.

But then if someone attacked through port 5060 which is routed to my PC with OBiAPP, shouldn't the softphone (3CX) on my PC show these calls on its history?  Why are these calls only showing up on my OBi100?  This is the part I don't understand.

RonR

No.  The intruder would be registering his SIP client in addition to or in place of your 3CX client with OBiAPP for PC.  3CX wouldn't know anything about the intruder.

(I updated my previous post.)

infin8loop

Quote from: RonR on May 13, 2012, 04:07:53 PM
Quote from: infin8loop on May 13, 2012, 03:39:46 PM
Could the OBiAPP for PC Properties -> Advanced ->  SIP Port  be changed to something other than 5060 that isn't forwarded in the router, thus making it unaccessible from outsiders?

Obihai doesn't give the user any way to configure OBiAPP for PC.  It's force-fed settings from the OBiTALK Web Portal with no user accessible options.


Interesting because I was able to change the OBiAPP SIP Port to 5100 and save it and change zoiper to point to 127.0.0.1:5100.  Zoiper registered successfully to ObiAPP and I can make calls.

If it's not doing what I think it's doing, then the ability to save the SIP Port setting is misleading at best.   

 
"This has not only been fun, it's been a major expense." - Gallagher

RonR

Quote from: infin8loop on May 13, 2012, 06:06:13 PM
Interesting because I was able to change the OBiAPP SIP Port to 5100 and save it and change zoiper to point to 127.0.0.1:5100.  Zoiper registered successfully to ObiAPP and I can make calls.

If it's not doing what I think it's doing, then the ability to save the SIP Port setting is misleading at best.   

No, you're correct.  I was thinking about the OBiTALK number, Voice Gateway, and Speed Dials, which cannot be changed in the App.  I forgot about the tab to change the ports.  Sorry for the mis-information.

Ostracus

Quote from: RonR on May 13, 2012, 05:02:16 PM

An alternative to using OBiAPP for PC and the OBiTALK Service would be to have your SIP client(s) communicate directly with your OBi using Single-Stage Dialing Through Any OBi Trunk Using SIP.  No passwords are used, but you can limit SIP access to the OBi by IP address using:

Service Providers -> ITSP PRofile x -> SIP -> X_AccessList



I looked through that and for the Obi202 you have:
QuoteVoice Services -> SPx Service -> X_InboundCallRoute (SPx must be configured for SIP) (OBi202):

{(Mtsc)>(<*1:>(Msp1)),(Mtsc)>(<**1:>(Msp1)):sp1},{(Mtsc)>(<*2:>(Msp2)),(Mtsc)>(<**2:>(Msp2)):sp2},
{(Mtsc)>(<*3:>(Msp3)),(Mtsc)>(<**3:>(Msp3)):sp3},{(Mtsc)>(<*4:>(Msp4)),(Mtsc)>(<**4:>(Msp4)):sp4},
{(Mtsc)>(<*8:>(Mli)),(Mtsc)>(<**8:>(Mli)):li},{(Mtsc)>(<*9:>(Mpp)),(Mtsc)>(<**9:>(Mpp)):pp},
{(Mtsc)>**0:aa},{(Mtsc)>***:aa2},{(Mtsc)>(Mp2p):spx},{(Mtsc)>(Mpli):pli},{(Mtsc)>0:ph},{(Mtsc):},{ph}

While mine lists {ph1,ph2} which is phone one and two. Seems your example would need some modification to work.

RonR

Quote from: Ostracus on May 13, 2012, 07:17:33 PM
While mine lists {ph1,ph2} which is phone one and two. Seems your example would need some modification to work.

ph is equivalent to ph1.

I've updated the example to instruct the user that ph1 or ph2 can be used as desired.

Thanks!