OBiTALK Community

Someone is hacking into my Obi by calling continuously on one of the lines. They somehow break in and then seem to be able, at will, to change the local Obi settings. They enable CallForwardUnconditionalEnable on 4 of the SPs to a Cuban number. When people call they are forwarded automatically. We don't receive the calls.  We have obviously disabled international calls on PhonePower (our SP) but then they get a message 'international calls are not allowed')

When we reboot the Obi, the OBiTalk settings bring things back to normal.

They re-enable the 'Cuban' settings by calling the OBi directly (seemingly bypassing the Service Provider) and somehow changinf the settings.

I have tried many, many solutions without success (disabling Auto Provisioning, taking OBiTalk offline, reset the OBi an starting from scratch, programming from offsite to make sure that there is no virus in my system, setting up an additional router in front of the Obi). All to no avail.

When I look at the call history I see the following was done right before the settings are changed to Cuban mode:

21:34:09   From SP5()   To PH5
21:34:09      Ringing
21:34:34      Call Connected
21:35:35   Call Ended   



Any help, please, please.

Have never seen or configured a 50x series device so this is a guess.

Since you are using PhonePower this may be helpful if your configuration has an X_AccessList setting.

http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing (http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing)

You might also look for the following setting (if you have it) under your Voice Service settings:

X_AcceptSipFromRegistrarOnly (if you find this setting, check the box and save your settings)

Thank you so much!! I have been literally struggling with this for two weeks. Phones would be effectively disabled because they were auto forwarded. Unfortunately OBi tech support had really NOT been helpful with this.

I implemented both of your suggestions and hope it will work. It seems right.

Do you have any idea of how they get into the OBi in the first place?

It is a weird thing, the hacker calls again and again on several lines. We are Sabbath observers and will not pick up the phone on Saturday.

I have seen my home alarm central station do this. When they want to program our system they will tell us that they will be calling rapid fire several times in a row and that we should not pick up the phone. They somehow get into the alarm control so that they can program. It seems like there is some sort of weak spot in the Obi where if the hacker knows your phone number and knows that you have an OBi, he can get into your system.

Quote from: sp508 on March 06, 2016, 08:22:14 PM
Thank you so much!! I have been literally struggling with this for two weeks. Phones would be effectively disabled because they were auto forwarded. Unfortunately OBi tech support had really NOT been helpful with this.

I implemented both of your suggestions and hope it will work. It seems right.

Do you have any idea of how they get into the OBi in the first place?

It is a weird thing, the hacker calls again and again on several lines. We are Sabbath observers and will not pick up the phone on Saturday.

I have seen my home alarm central station do this. When they want to program our system they will tell us that they will be calling rapid fire several times in a row and that we should not pick up the phone. They somehow get into the alarm control so that they can program. It seems like there is some sort of weak spot in the Obi where if the hacker knows your phone number and knows that you have an OBi, he can get into your system.

While you're "hardening" your OBi, you should also change its admin password (the default is "admin"!), to a nice long random string of characters.

As for the alarm system, no, that access method wouldn't apply to the OBi.  The alarm system's firmware listens for and counts rings on inbound calls.  Depending on the manufacturer and service provider, the alarm system is programmed to answer the phone after a certain sequence of rings (e.g. one ring and hang up, then another ring within x seconds).  When it recognizes that pattern, it answers the call, which enables it to communicate with the central station or service provider via the alarm system protocol.

Quote from: SteveInWA on March 06, 2016, 09:53:55 PM

Quote from: sp508 on March 06, 2016, 08:22:14 PM
Thank you so much!! I have been literally struggling with this for two weeks. Phones would be effectively disabled because they were auto forwarded. Unfortunately OBi tech support had really NOT been helpful with this.

I implemented both of your suggestions and hope it will work. It seems right.

Do you have any idea of how they get into the OBi in the first place?

It is a weird thing, the hacker calls again and again on several lines. We are Sabbath observers and will not pick up the phone on Saturday.

I have seen my home alarm central station do this. When they want to program our system they will tell us that they will be calling rapid fire several times in a row and that we should not pick up the phone. They somehow get into the alarm control so that they can program. It seems like there is some sort of weak spot in the Obi where if the hacker knows your phone number and knows that you have an OBi, he can get into your system.

While you're "hardening" your OBi, you should also change its admin password (the default is "admin"!), to a nice long random string of characters.

As for the alarm system, no, that access method wouldn't apply to the OBi.  The alarm system's firmware listens for and counts rings on inbound calls.  Depending on the manufacturer and service provider, the alarm system is programmed to answer the phone after a certain sequence of rings (e.g. one ring and hang up, then another ring within x seconds).  When it recognizes that pattern, it answers the call, which enables it to communicate with the central station or service provider via the alarm system protocol.

And, change your OBiTALK account password.  If you are logging into OBiTALK using a Google Voice account via OAUTH, then there are further steps to take to harden access.

Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?

I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.

I have three other OBi 508s. Many of the SP are GoogleVoice. I assume that I should enable the
X_AcceptSipFromRegistrarOnly for all ports?

Also, what is the appropriate X_AccessList for GV.

Re: 'If you are logging into OBiTALK using a Google Voice account via OAUTH'. I think I am. I log in via browser and add GV using the OBitalk interface and GV password. What steps should I take.

I didn't realize that they could dial in via ip and then enter a star code. Even though I have disabled direct IP dialing, what is to stop them from dialing in from an outside line and entering star codes.My calls are answered by a regular answering system, they are therefore IN the system and can theoretically enter codes or even enter ***8 and reset my device????

Quote from: sp508 on March 07, 2016, 03:21:01 AM
I have three other OBi 508s. Many of the SP are GoogleVoice. I assume that I should enable the
X_AcceptSipFromRegistrarOnly for all ports?

Also, what is the appropriate X_AccessList for GV.

Re: 'If you are logging into OBiTALK using a Google Voice account via OAUTH'. I think I am. I log in via browser and add GV using the OBitalk interface and GV password. What steps should I take.

I didn't realize that they could dial in via ip and then enter a star code. Even though I have disabled direct IP dialing, what is to stop them from dialing in from an outside line and entering star codes.My calls are answered by a regular answering system, they are therefore IN the system and can theoretically enter codes or even enter ***8 and reset my device????

FOUR OBi 508s?  What sort of spam/robocall/telemarketing operation are you running?  You're violating Google's Terms of Service.  You're lucky Google hasn't caught you yet and shut your numbers down.

http://www.google.com/intl/en_US/googlevoice/program-policies.html (http://www.google.com/intl/en_US/googlevoice/program-policies.html)

Aside from that, GV doesn't use SIP, so the settings Taoman mentioned are not applicable to your GV SP slots.

No, no robo calls at all (I hate them as much as everyone does!)

I use the GV to enable campers in an overnight camp to call their parents. They all come at the same time so I set up a bunch of phones for them to use. I do it to make it easier for the kids to call home (at a great personal cost I may add). If you want to see which camp it is I will send you our web address privately.

Is X_AccessList also not applicable?

What kind of hardening do you recommend for GV?

Also, if a lot of kids call home at the same time over several hours (they all call home Friday afternoon) will GV shut me down even though I am legit?? Or will they give me the opportunity to show that I am legit.

Quote from: sp508 on March 07, 2016, 03:37:43 AM
No, no robo calls at all (I hate them as much as everyone does!)

OK.  You get a gold star.

Quote
I use the GV to enable campers in an overnight camp to call their parents. They all come at the same time so I set up a bunch of phones for them to use. I do it to make it easier for the kids to call home (at a great personal cost I may add). If you want to see which camp it is I will send you our web address privately.

No thanks, but that sounds like a camp for entitled little whiners and their Millennial helicopter/whiner parents .  Queue the "When I was a kid, we had to walk a mile to the camp outhouse and use leaves for TP." grousing.

::) ;D ::) ;D

Quote
Is X_AccessList also not applicable?

Correct.  The hackers wouldn't likely be coming in via Google Voice, unless you are using trivial passwords and giving them out to the kids (who knows what evil lurks in the minds of little deviants).  :o

Quote
What kind of hardening do you recommend for GV?

Also, if a lot of kids call home at the same time over several hours (they all call home Friday afternoon) will GV shut me down even though I am legit?? Or will they give me the opportunity to show that I am legit.

Your acquisition of multiple GV numbers isn't legit (ToS violation), regardless of what you are doing with them.  I recommend getting rid of those rule-breaking GV accounts, and just signing up with a SIP VoIP provider with a bunch of outbound channels and pay-per minute pricing.  If these phones are just being used for outbound calling, there really isn't a reason to pay for and keep track of inbound telephone numbers for each one.  You could assign the same, single DID (inbound) number to all the phones.  Add a small fee to the camper's bill for phoning home if becomes a financial burden, but the cost of channels and outbound minutes is really cheap these days.

Heck, our forum member Sam_from_Circlenet is practically giving it away.

I don't have an OBi508vs so am not sure if it has a configuration to restrict calls to certain area codes.

I use a FortiVoice (formerly TalkSwitch) system for my work and it has the ability to restrict calls and limit calling privileges on a per extension basis. The cost of a professional PBX system like mine would be less than 4 OBi508s (phones not included) and if used with a SIP provider, like Steve suggests, would provide the lines and security that would likely save money and frustrations in the long run. Additionally, as a hybrid PBX, it can also be connected to a few OBi202s to use analog lines with GV. The benefit is that it can add a measure of security and call restriction on top of the OBis--assuming they were plugged into the FV PBX to add analog (in addition to SIP) lines.

How many concurrent lines does the OP really need? Seems like these kids are really being spoiled.

Personally, if I were running a camp like this, I would place a limit on the number of phones campers could use...and they'll just have to wait their turn. If, on the other hand, the camp is for rich spoiled kids, it doesn't seem like a big deal to factor into the price of the camp, the telecommunications cost for these campers, if it has to go that way. If so, I would go with a SIP provider as Steve suggests. But for security purposes, I would go with a PBX that has additional layers of security like call restrictions (or call blocking) and a per extension privilege restriction.

Just to clarify. I am not using four OBi508s for the campers. One OBiis in the city office and three are at the camp. Of the three at the camp, two are used for the business offices and use PhonePower. The third OBi is used for campers. Last summer they too used PhonePower.

This summer I was thinking of using GV for the camper lines to save myself the PhonePower cost. I did not realize it that it is against ToS. I will look into your suggesting or go back to PhonePower for the kids.

BTW: It is a not-for-profit camp. Kids aren't spoiled - they are great kids. The idea was mine because I am a techy kind of guy.

I do use one GV for myself and SteveInWA had mentioned that there is a way to harden OAUTH. I am interested in how to do that.

THEY HACKED ME AGAIN

Even with all the setting changes that you recommended they just hacked me. HELP, what should I do??

I did the following:

http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing

X_AcceptSipFromRegistrarOnly (if you find this setting, check the box and save your settings)

Quote from: sp508 on March 07, 2016, 07:07:25 AM
THEY HACKED ME AGAIN

Even with all the setting changes that you recommended they just hacked me. HELP, what should I do??

I did the following:

http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing

X_AcceptSipFromRegistrarOnly (if you find this setting, check the box and save your settings)

Wow. Just woke up and I haven't had any coffee yet so I'm not thinking too clearly at this point.

Are you forwarding any ports in your router?
Do you have your OBi in a DMZ?
Exactly what kind of router are you using? (make and model)
Who is your ISP and what modem is being used?

Can you describe in detail (and maybe with a diagram) your entire network? Show the signal path between your OBi and your ISP. Are there ANY other points of entry into your network besides from your ISP?

Without coffee that's all the questions I can think of right now.

PS. Just out of general principle I would be changing all my passwords on all my devices to something VERY complex. This may be a brute force dictionary attack.

Just wondering if there is a malware on the OP's computers so that every stroke or change made is readable by the hacker? If that is the case, changing to the most complex password will not help if a hacker is able to determine what exactly is being typed.

I would try (this is just brainstorming) to use a completely different laptop to change all the passwords (to a complex one at that) and see if that will prevent any hack.

I would also do a malware scan of all camp related computers and laptops...including personal devices used in the past to make the changes.

One should not rule out an internal hack or at least someone having access to that person.

Thanks VERY much for trying to help.

Using Verizon FiOS Router/Modem M1424WR. There is limited port forwarding see below with explanation.

Obi is not in DMZ
Not sure what you mean by signal path between Obi and ISP.

The wiring is OBi to router to Verizon. There are several computers on the system. They were all checked for viruses using AVAST and MalwareBytes. My server is behind Bitdefender.

In the past week I changed all SP passwords, GV password, I reset the router and changed the password. All the passwords were complex passwords.

I just looked at the local call history for the latest breach which occurred at 9AM EST and there were NO entries. Usually there is an indication of a call.

Is it possible my hacker is part of a 'TRUSTED' group?? I don't have any that I know of.

==================================
Router settings explanation:
100 - website
107 and ISY for conrolling lights, Teredo (don't know what that is, it seems to come automatically I think having to do with IPv6)
localhost
127.0.0.1   Verizon FiOS Service
Tcp Any -> 4567   All Broadband Devices   Active   
   192.168.1.100
Destination Ports 8002
TCP Any -> 8002
UDP Any -> 8002   All Broadband Devices   Active   
   
   192.168.1.7
Destination Ports 1031
TCP Any -> 1031
UDP Any -> 1031   All Broadband Devices   Active   
   
   192.168.1.100:60301
Skype UDP at 192.168.1.100:60301 (3352)
UDP Any -> 60301   All Broadband Devices   Active   
   
   192.168.1.100:60301
Skype TCP at 192.168.1.100:60301 (3352)
TCP Any -> 60301   All Broadband Devices   Active   
   
   192.168.1.100:57179
Teredo
UDP Any -> 57179   All Broadband Devices   Active   
   
   192.168.1.181:62294
Teredo
UDP Any -> 62294   All Broadband Devices   Active   

I did this. I reset the OBi, went off site and used a computer that didn't belong to me. I started from scratch with a newOBiTalk account and ALSO put the OBI behind its own router. The hacker still got in. I think that pints to a weakness in the OBi not a keystrok logger, correct?

Quote from: LTN1 on March 07, 2016, 07:33:07 AM
Just wondering if there is a malware on the OP's computers so that every stroke or change made is readable by the hacker? If that is the case, changing to the most complex password will not help if a hacker is able to determine what exactly is being typed.

I would try (this is just brainstorming) to use a completely different laptop to change all the passwords (to a complex one at that) and see if that will prevent any hack.

I would also do a malware scan of all camp related computers and laptops...including personal devices used in the past to make the changes.

One should not rule out an internal hack or at least someone having access to that person.

If someone was following my keystrokes, why would they need to call in a bunch of times. Doesn't make sense.

Somehow they are getting into the OBi.

Is it possible that if I avoid using SP1 which is what they keep on going after, they won't be able to get in again because I have hardened the OBi??

The 508 apparently supports 9 VoIP accounts. Are all 9 being used for separate PhonePower lines? If not, how are they configured? The configuration changes you made should have stopped them. This makes me think they are using another route to get to your OBi.

What is the purpose of your "server?" Who all has access to it? How do they access it?

I have 7 PhonePower accounts and one GV. The OBI508 has 8 ports but 9 SPs. I just deleted SP1 because of the problem and inserted SP9 in its place. Last time I deleted SP1 he then needed to call in to re-hack my system.

Just now when the hack was taking place. I was on a call on line 2 (SP1). I noticed that the light on line 1 (SP1) was on even though no phone calls came in.

My phone system is an old Panasonic 1232 with 12 CO lines and multiple extensions. I can therefore see which lines are being used. BUT if he 'called' into line 1 internally why would the indicated on my PBX show that light as being on???

The server is for camper registration. It is SSL.

Are you worried about the 'Teredo '

Quote from: sp508 on March 07, 2016, 07:54:15 AM
If someone was following my keystrokes, why would they need to call in a bunch of times. Doesn't make sense.

Somehow they are getting into the OBi.

Is it possible that if I avoid using SP1 which is what they keep on going after, they won't be able to get in again because I have hardened the OBi??

What service provider are you using for the SP1 slot?

I was using PhonePower. I justed deleted it and moved to SP9 with a hope that the problem would go away.

Quote from: sp508 on March 07, 2016, 08:05:38 AM

Are you worried about the 'Teredo '

I am concerned that there is another pathway into your network that I am unaware of.

I can give you two more options to harden your PhonePower configuration but I'm not real hopeful since the first two configuration changes should have done it. As mentioned, I think another route is being used to access your OBi.

Change your UA port to 12060.
http://www.phonepower.com/wiki/Obihai_Lite#Obihai_SIP_Port_Change (http://www.phonepower.com/wiki/Obihai_Lite#Obihai_SIP_Port_Change)

Change your Voice Service>SPX service>X_InboundCallRoute to {>XXXXXXXXXX:phx}

where XXXXXXXXXX is your PP phone number and x is your desired phone port.

Would I do 12061 for the next port and so on??

Quote from: sp508 on March 07, 2016, 08:55:29 AM
Would I do 12061 for the next port and so on??

No. PP SIP server won't be listening on port 12061. Just do one line for now and make sure you can register successfully. PP SIP servers are sometimes slow to detect a registered UA on port 5060 is no longer really there.

Okay sp9 is set and works, should I do SP2? If so what settings: Is it also 12060 and {>XXXXXXXXXX:phx}?

Quote from: sp508 on March 07, 2016, 09:22:29 AM
Okay sp9 is set and works, should I do SP2? If so what settings: Is it also 12060 and {>XXXXXXXXXX:phx}?

Yes.

okay trying

Noticed that X_AcceptResync is set to 'Yes without authetification' is that coreect

I did for all my PP SPs. I did not do for my one GV SP. I assume that is correct?

Any other steps??

Since I don't know what's going on and I don't know the OBi50x series and since you've moved SP1 to SP9, just to be overly paranoid I would disable the SP1 service.

Voice Service>SP1 Service>Enable  (uncheck the box and save your settings)

Wow, sorry to hear about this.

Just following up on my comment and your subsequent question about GV security:

I assume that you've updated your OBis to their latest firmware level.  Since none of us have a 508, we can't look for you, but according to this forum's firmware section, the latest build is 4764 from June 2015.  The build level and release note information in that section are poorly maintained, so I suggest contacting Obihai about your issue in general, to see if they have any ideas.

Using the 2015 or newer firmware, access to one's Google Voice account no longer stores your Google account password on the device.  Instead, during the process of you provisioning GV on an OBi, via the OBiTALK web portal, OBiTALK will use the OAUTH 2.0 protocol to securely request and, with your approval, obtain a secure access token for the Google Chat service used by OBi devices.

I am not a security expert, so I don't know if the attacker is using your GV account(s).  I doubt it.  But, as we've been discussing, a shotgun, pre-emptive change of all passwords would be a good idea. 

If you can, I would delete all of the Google Voice SP configs on your OBi(s).  Then, log into your Google accounts and go here:  https://security.google.com/settings/security/permissions?pli=1 (https://security.google.com/settings/security/permissions?pli=1)

Find and click on, and then delete, all the permissions that have the tiny OBiTALK logo to the left, e.g. "Google Voice".  Delete any permissions for apps you don't use or don't recognize.

This will delete the OAUTH 2.0 permission that had been granted for OBiTALK.

Change your Google account passwords to new, unique (not used on any other website) passwords.

There are also two potentially different passwords for OBi stuff:  when you sign into your OBiTALK dashboard account, you either use a user ID and password you created specifically for OBiTALK, or you use your Google account password, again, via OAUTH.  Figure out which method you are using, and change the password accordingly.  Then, each OBi device has an admin password.  If you haven't changed those, do so now.

This is off-topic and probably not your issue, but I re-read the discussion thread, and noticed:

QuoteUsing Verizon FiOS Router/Modem M1424WR

I've been a FiOS customer since day 1 of availability here.  I was originally given one of those routers.  Actiontec made several revisions of the device, so my experience with the 1st gen could be different than yours.  The router had confusing and unusual configuration menus and poor performance.  I got rid of it years ago, and I have upgraded routers several times since then, all Linksys consumer routers.  I now use a current-generation Linksys router with AC1900 WiFi. 

Verizon (well, now Frontier) doesn't care what router you use, although their tech support may whine a bit if you call in a problem, since they like to remote into the Actiontec routers for problem determination.  Your FiOS ONT (Optical Network Terminal) creates the fiber<-->Ethernet bridge, and whatever router is plugged into it will obtain the DHCP lease from the host.  There's nothing special or magic about needing to use that old Actiontec router, and I have no idea if it has any security vulnerabilities.  The fact that you cascaded another router downstream of the Actiontec should mitigate that, but you really don't need two routers.

Okay they got me again! I am attaching a log of the local settings. Somehow they got and changed the same four: SP!-SP4.

Again the light on my line 1 (phone number ending ...515, now SP9) was on. Even though SP9 was not effected. When I broke into and confeenced the line there was beeping. The beeping was not like a fax machine just tones.

The log contains SP1-4 wich were hit and then SP( which was not hit and SP5,6,7,8 are the same.

PLEASE HELP.

Called OBi and 'they will get back to me.' I have been waiting for two weeks for any kind of real help from them.

Quote from: Taoman on March 06, 2016, 11:04:26 PM

Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?

I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.

My reading of the manual (http://www.obihai.com/docs/OBi508AdminGuide.pdf) indicates star codes can only be entered via the PHONE port.

They are continuously hacking SP1, SP2, SP3 and SP4.

They seem to be able to do it at will.

It most definitely has something to do with them calling in. But I don't know how they do it.

I have a PBX which after a certain number of rings picks up the call.

But they [seem to be able to light up the light on the PBX without the phone ringing. I am not positive about that but pretty sure. I don't know how they do that.

Quote from: sp508 on March 07, 2016, 06:19:30 PM
They are continuously hacking SP1, SP2, SP3 and SP4.

They seem to be able to do it at will.

It most definitely has something to do with them calling in. But I don't know how they do it.

I have a PBX which after a certain number of rings picks up the call.

But they [seem to be able to light up the light on the PBX without the phone ringing. I am not positive about that but pretty sure. I don't know how they do that.

Regardless of whether there is a security defect in the OBi508vs device or not, I doubt that you will get the support that you need here. If you are determined to continue to use your 508, a high tech security consultant would be helpful. The problem is that the fee charged would likely far exceed your 508.

Would you consider going to a more secured system like this: https://www.corporatearmor.com/documents/talkswitch_datasheet.pdf (or equivalent, regardless of product manufacturer)

Quote from: sp508 on March 07, 2016, 07:40:14 AM
I did this. I reset the OBi, went off site and used a computer that didn't belong to me. I started from scratch with a newOBiTalk account and ALSO put the OBI behind its own router. The hacker still got in. I think that pints to a weakness in the OBi not a keystrok logger, correct?

Given that you say you've done all the above in addition to the configuration changes I suggested I am at a loss. Unless there is a "feature" or defect in the OBi508 I'm unaware of I just don't see how this could be an external hack. I'm no network guru but it seems like they are accessing your OBi device from your internal network. But that's just a guess.

Edit: I guess I missed the PBX part. How is your PBX connected to the OBi and the outside world? Continuing on my guess, could they be hacking your PBX to get to your OBi?

What exactly has Obihai support said to you? Have they asked you to set up a syslog?

Quote from: Ostracus on March 07, 2016, 06:12:09 PM

Quote from: Taoman on March 06, 2016, 11:04:26 PM

Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?

I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.

My reading of the manual (http://www.obihai.com/docs/OBi508AdminGuide.pdf) indicates star codes can only be entered via the PHONE port.

Seems logical. Just didn't know if things might be different with the 508.

Quote from: LTN1 on March 07, 2016, 06:40:30 PM

Regardless of whether there is a security defect in the OBi508vs device or not, I doubt that you will get the support that you need here. If you are determined to continue to use your 508, a high tech security consultant would be helpful. The problem is that the fee charged would likely far exceed your 508.

You may very well be correct. I would hope there will be more help from Obihai support forthcoming.

Edit: I'm going to reach out to a couple top notch VoIP troubleshooters and see if they'd be willing to take a look at this thread and perhaps offer a suggestion. It's certainly over my head.

Thanks for all your help! really.

OBi has done almost nothing. No, no syslog. They do not respond to support tickets (perhaps once or twice with very curt and lame suggestions). They did not try to 'harden' the OBi the way you suggested. When I call they want me to get off the phone.

I called again today and demanded some attention and help. I sent them an entire log of what was going on but so far no response.

Re PBX: The PBX CO lines are connected to the OBi. The PBX has NO connection to the outside world other than the CO lines going to the OBi and electric power. So a call would have to go through the OBi to ring on the PBX. Don't see how they could hack the PBX. When you hit * on a voicemail it the Voicemail hangs up on you.

Perhaps they are in my network with a virus. But if so they are accomplishing nothing. Long distance calls are disables at PP. As I mentioned, I did extensive virus scanning. I set up a new OBi at a different location with a firends computer and still they got in.

It really seems that the only thing that stayed the same in the whole process is the phone number that is being hacked called and SP1-4 being changed.

Quote from: sp508 on March 07, 2016, 06:52:05 PM

It really seems that the only thing that stayed the same in the whole process is the phone number that is being hacked called and SP1-4 being changed.

Perhaps a cheaper solution is to change the number but if it is a main number as on business cards, letterheads, etc., quite a sacrifice to take.

Probably will go with Vonage for that one line and see what happens.

Quote from: Ostracus on March 07, 2016, 06:12:09 PM

Quote from: Taoman on March 06, 2016, 11:04:26 PM

Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?

I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.

My reading of the manual (http://www.obihai.com/docs/OBi508AdminGuide.pdf) indicates star codes can only be entered via the PHONE port.

After mulling this over while running errands today, I was going to post this same comment.  I don't see how anyone could attack the device over a phone call, regardless if they're calling the PSTN number or via a direct SIP URI.

It's why I spent time emphasizing generic account password hardening, on all points of entry:  the OBiTALK account portal user ID/PW, the administrative password for the OBi 508's own web server interface, and the SIP credentials.

Aside from that, I believe this is an "inside job", meaning, somebody is gaining access to your LAN.  Are you running a web server, for example, with open ports, that could be compromised?  Anyone with access to port 80 on your LAN and knowledge of the OBi's password could do this sort of damage.

With reference to replies #22 to #26, concerning UserAgentPorts, I think there has been a misunderstanding.

I do agree with Taoman that you should change these away from the defaults. However, 5060 and 12060 are the PhonePower servers' "SIP listening ports". These values can be set here:
Service Providers -> ITSP Profile X -> SIP -> ProxyServerPort : 12060
This will have no effect on scanners looking for a way in to your OBi.

The UserAgentPort is the "SIP listening port" for each individual OBi spX. They should all be different. Set them at random numbers above 32000. Each OBi spX will send a REGISTER message to the PhonePower servers telling them where to send calls to ipaddress/port – the port will be whatever you have set in the UserAgentPort. This is a sensible change for all OBi owners as one more measure to defeat SIP scanners.

I don't use PhonePower, but I note that on their website there is advice on changing the SIP port of their softphone:

QuoteClick on the check box Open random port above 32000 to allow the entry field to be modified and type in the requested SIP port.

Up to now you have only used default UserAgentPort settings and the advertised 12060, so scanners will be having an easy job getting in to your OBI. Using random ports above 32000 will make it much harder. Of course, if the problem is an "inside job" as Steve describes, then it will not help, but it is a good safety measure in any case.

Good luck with solving your problem.

Thank you everyone for your help!!!

Last night at around 11 PM a call came in on Line 2. Caller ID showed private. I didn't take the call but the call went to VM on my desk. My voicemail allows me to screen messages and pick up as the messages are being left. I was able to hear that tones were being dialed.

Then the indicator light on Line 1 went on. This happened without any incoming call. I barged into Line 1 and heard tones again.

There were a flurry of incoming calls.

My phone system is an old analog system. It has several ports that are for VM. Those ports had access to all CO lines (including 1 & 2).

I am wondering if the hacker is simply getting into my voicemail. Dialing 9 to get an outside line. Then he dials *72 (All Call Forward) to his Cuban number and thiis is the way he hacks!

I have since disabled CO access to the VM ports and put a password on the Voicemail Extension that he was using.

Scary to think that he would know which phone system I have, know my phone numbers and call in when the phones aren't being used for a while.

Now, if this is the way he hacked is it correct to say that he would not need to do any additional programming on the OBi. Remember SP1-4 and OBiTalk Service are all enabled for this field CallForwardUnconditionalEnable with a specific Cuban phone number.

What does everyone think???

Just to get it out there: The number he is calling from is 239 234 4377/8 is there a way to see where he is calling from?? It says Naples, Florida on the Caller ID. AND does anyone have experience with that number being a hacker?

wow, I'm so sorry. This seems to be a dangerous man that needs to be reported. The number belongs to Ymax Communications in Naples, FL and is voip. White pages has the number listed as scam/fraud. He is sexually abusing and hacking into people's accounts, including bank. He uses Craig's list, facebook, every means possible. He goes by many names. One person said it is a MagicJack number and when he/she received call from this number it was a friend stationed overseas but number could belong to someone else now. But, another commentor said he claims to be a marine stationed in Somalia (same country told to other people too) so I suspect the one to claim him as a friend is also being scammed. Good luck.

Quote from: sp508 on March 13, 2016, 05:42:03 AM

My phone system is an old analog system. It has several ports that are for VM. Those ports had access to all CO lines (including 1 & 2).

I am wondering if the hacker is simply getting into my voicemail. Dialing 9 to get an outside line. Then he dials *72 (All Call Forward) to his Cuban number and thiis is the way he hacks!

I have since disabled CO access to the VM ports and put a password on the Voicemail Extension that he was using.

Scary to think that he would know which phone system I have, know my phone numbers and call in when the phones aren't being used for a while.

Now, if this is the way he hacked is it correct to say that he would not need to do any additional programming on the OBi. Remember SP1-4 and OBiTalk Service are all enabled for this field CallForwardUnconditionalEnable with a specific Cuban phone number.

What does everyone think???

Just to get it out there: The number he is calling from is 239 234 4377/8 is there a way to see where he is calling from?? It says Naples, Florida on the Caller ID. AND does anyone have experience with that number being a hacker?

Having experienced using and configuring analog to IP PBXs for over 10 years for my own work (though I'm not an IT professional), it is now clear to me that the security weakness in your configuration lies not with the OBi508vs but with your PBX system that is behind the OBi.

If you want to keep some sort of call bridge or call forwarding (whatever it is called in a particular PBX system), you have to set up a strong enough password that requires manual input each time a person externally calls in to use that feature. If your PBX doesn't require a strong enough manual password to dial out on a call bridge/forwarding, you are stuck with turning off that feature for the entire system or upgrading to a more secured PBX if you want such a feature.

I disabled calling out for the VoiceMail ports. So theoretically he cannot call out.

But how can he do CallForwardUnconditionalEnable on SP1-4 and ObiTalk via by just using the phone keypad??

It is highly unlikely that he can reconfigure the call forwarding part of the OBi from a phone keypad since none of us can. It requires knowing the password and going into the OBi dashboard to make such a configuration. Based on the OBi abilities at this time, I would say it would not be possible to make the configuration that way by mere key tone entry remotely.

In addition to turning off that feature when in your VM, do you have any type of auto-attendant that allows for that remote call forwarding feature? If you do, then you should turn it off there to.

It does seem like once I get him out of the system by deleting an SP or the like, he needs to CALL in to get back in. Once he gets in he seems to be able to change the settings without calling in.

Is it possible that there is a two step process: He needs to call in to get some information or two enable something that allows him access (perhaps adding himself as a Trusted member). Then, once he has breached the system, he can make changes online without calling in??

This is the way it seems to happen each time.

Your problem is with your PBX system, not the OBi.

If your PBX system allows for remote configuration (that is, calling in from an outside line), then an outside caller, with the master password can technically call in and reactivate the call bridging/forwarding feature that you have on your PBX system.

The caller will unlikely be able to remotely reconfigure your OBi device by keypad alone. It will require hacking into your online OBiTalk dashboard also.

The bottom line is, you have a problem with the security of your PBX. It is not related to the OBi, except once your PBX has been hacked, it uses the OBi lines to call out. If you can stop any remote configuration changes to your PBX, that would likely solve your immediate problem.

If you can't secure your PBX, then it is time to get another PBX with better security features.

I put passwords on all PBX extensions. I disabled outside CO lines on the PBX. So I believe the PBX is secured now.

Still don't know how he did all the programming on OBi local. Any clues?? I assume he could do *72, but does that get migrate to the local Obi settings???

Apparently, he is a known hacker http://whocallsme.com/Phone-Number.aspx/2392344378

I wonder if I should report to the FBI.

Quote from: sp508 on March 13, 2016, 12:38:55 PM
I put passwords on all PBX extensions. I disabled outside CO lines on the PBX. So I believe the PBX is secured now.

Still don't know how he did all the programming on OBi local. Any clues?? I assume he could do *72, but does that get migrate to the local Obi settings???

Apparently, he is a known hacker http://whocallsme.com/Phone-Number.aspx/2392344378

I wonder if I should report to the FBI.

I don't have the 508 but part of the advertising says:

Software Feature Highlights:

    Call Signaling for Up to 8 SIP-Based Voice Services: SIP (UDP/TCP/TLS)
    OBiTALK Calling: Allows for Voice Communications Between OBi Devices and Smart Phone Apps
    VoIP Codecs Supported: G.711, G.726, G.729, G.722, iLBC
    Fax Over IP: T.38 Real-Time Fax over IP, G.711 Transparent Fax (Automatic)
    Obihai Call Routing and Bridging Technology: Allows for Full-matrix Switching Amongst Available Services (VoIP, Land Line or Mobile Phone) and/or Ports
    Secure Provisioning and Management via the OBiTALK Cloud or via TFTP, HTTP/S or via Integral Web Page
    Globally Localizable: Allows for Country-Specific Dialing, Ringing, In-call Tones and PSTN (FXO) Interoperability - Requires OBiLINE USB to FXO Adapter(s)

You can additionally disable all of the call forwarding/bridging capabilities of the OBi508vs.

I think what I am seeing here is the headache of using lower end PBX systems, including the OBi508vs. They're just not designed to be user friendly in warding off a sophisticated hacker. It's not what you want to hear but I want to bring this point up so you don't fully blame Obihai or your lower end analog PBX system for everything the hacker is doing. There's a reason why businesses spend tens of thousands of dollars on security devices and software--and a $400 device isn't going to be up to par with the higher end ones.

Here's a sample configuration page in my PBX that allows for limited access and PIN security for any outbound calls. It has many features, including the ability to easily stop any call bridging/forwarding with a check or uncheck.

Since it is a hybrid PBX, it even allows for the OBi202 to be connected to some of its analog phone lines. Say you have a two OBi202 lines connected, all incoming and outgoing calls will be handled by the PBX. The only purpose for the OBi202 is to provide telephone lines. Security is regulated at the PBX level.

The system that we have employs a number of redundant features. It includes landlines that won't go down in case of a long-term power failure. It employs pure VoIP lines like CallCentric, Localphone, etc. It even has GV lines through the OBi device--which is useful for its T.38 feature.

The system (not phones), when purchased new, was only $1500. It has 4 analog lines and 8 SIP trunks (for VoIP lines)--for a total of 12 concurrent lines. I have an extra identical system as a backup or to act as a daisy chain if we needed more lines--but that is unlikely since for our small office, 12 lines is more than enough. Out of that 12 lines, we can program up to 70 extensions either locally or remotely. For example, in your camp situation, you can actually operate using one system at the main office and just set up VoIP extension phones connected to the camp's LAN and it will be exactly like an extension phone at the main office hundreds of miles away.

Consider upgrading if your system isn't secure or easy to use.

So far so good. ever since I password protected the voice mail extensions and disabled the VM ports from being to make outgoing calls (hence  having access to the OBi ports) the hacker has not attacked.

i sent a request to OBi tech support asking how to disable 'Bridging' but have not gotten a response.

To LTN1. My analog system has 24 CO lines and appx 90 extensions along with integrated Voice Mail. I am loath to switch - unless, of course, I have to.

I would love to have a brand new VOip system, but my understanding is that I would need an CAT5 connection to each phone. My extensions are spread out over 60 acres and rewiring would cost $20,000+.

Quote from: sp508 on March 14, 2016, 05:55:55 PM
So far so good. ever since I password protected the voice mail extensions and disabled the VM ports from being to make outgoing calls (hence  having access to the OBi ports) the hacker has not attacked.

i sent a request to OBi tech support asking how to disable 'Bridging' but have not gotten a response.

To LTN1. My analog system has 24 CO lines and appx 90 extensions along with integrated Voice Mail. I am loath to switch - unless, of course, I have to.

I would love to have a brand new VOip system, but my understanding is that I would need an CAT5 connection to each phone. My extensions are spread out over 60 acres and rewiring would cost $20,000+.

Good to hear that it is working. If something works, no need to change...I only brought up the possibility for an upgrade PBX if it doesn't work.

If, however, you plan to one day upgrade to an IP system and move away from your analog PBX, the cost of ethernet or CAT5 connections won't be nearly as large if you go with WIFI capable ethernet hubs at remote areas of your compound. Assuming you have WIFI signal boosts/extenders throughout your large compound, you would only need to install WIFI ethernet hubs near your VoIP connected phones or other devices needing ethernet connection. For the single remote location where you only need a phone or two, you can just get a WIFI enabled VoIP phone for that location without the need to set up a WIFI ethernet hub.

The sample WIFI ethernet hubs that I'm talking about are here:
https://www.iogear.com/product/GWU647/
http://www.newegg.com/Product/Product.aspx?Item=N82E16833150130&nm_mc=KNC-GoogleAdwords-PC&cm_mmc=KNC-GoogleAdwords-PC-_-pla-_-Network+-+Firewalls-_-N82E16833150130&gclid=Cj0KEQjw5Z63BRCLqqLtpc6dk7gBEiQA0OuhsDWylM3uqti2gB26kEMW17DLVlHYasA3JFdukuoVf90aAnyo8P8HAQ&gclsrc=aw.ds

Only do VoIP at your location after testing it on a smaller scale. Otherwise, I like the redundancy and stability of having landlines also in the event there are VoIP connection issues. It cost more but it is the cost of doing business in my opinion. So if you ever transition, I would have a hybrid system as a fallback to one or two landlines if necessary. Otherwise, everything else can go VoIP to save money in the long run.