Obi508 Hacked

Started by sp508, March 06, 2016, 06:20:26 PM

Previous topic - Next topic

sp508

Someone is hacking into my Obi by calling continuously on one of the lines. They somehow break in and then seem to be able, at will, to change the local Obi settings. They enable CallForwardUnconditionalEnable on 4 of the SPs to a Cuban number. When people call they are forwarded automatically. We don't receive the calls.  We have obviously disabled international calls on PhonePower (our SP) but then they get a message 'international calls are not allowed')

When we reboot the Obi, the OBiTalk settings bring things back to normal.

They re-enable the 'Cuban' settings by calling the OBi directly (seemingly bypassing the Service Provider) and somehow changinf the settings.

I have tried many, many solutions without success (disabling Auto Provisioning, taking OBiTalk offline, reset the OBi an starting from scratch, programming from offsite to make sure that there is no virus in my system, setting up an additional router in front of the Obi). All to no avail.

When I look at the call history I see the following was done right before the settings are changed to Cuban mode:

21:34:09   From SP5()   To PH5
21:34:09      Ringing
21:34:34      Call Connected
21:35:35   Call Ended   



Any help, please, please.

Taoman

Have never seen or configured a 50x series device so this is a guess.

Since you are using PhonePower this may be helpful if your configuration has an X_AccessList setting.

http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing

You might also look for the following setting (if you have it) under your Voice Service settings:

X_AcceptSipFromRegistrarOnly (if you find this setting, check the box and save your settings)

sp508

Thank you so much!! I have been literally struggling with this for two weeks. Phones would be effectively disabled because they were auto forwarded. Unfortunately OBi tech support had really NOT been helpful with this.

I implemented both of your suggestions and hope it will work. It seems right.

Do you have any idea of how they get into the OBi in the first place?

It is a weird thing, the hacker calls again and again on several lines. We are Sabbath observers and will not pick up the phone on Saturday.

I have seen my home alarm central station do this. When they want to program our system they will tell us that they will be calling rapid fire several times in a row and that we should not pick up the phone. They somehow get into the alarm control so that they can program. It seems like there is some sort of weak spot in the Obi where if the hacker knows your phone number and knows that you have an OBi, he can get into your system.

SteveInWA

Quote from: sp508 on March 06, 2016, 08:22:14 PM
Thank you so much!! I have been literally struggling with this for two weeks. Phones would be effectively disabled because they were auto forwarded. Unfortunately OBi tech support had really NOT been helpful with this.

I implemented both of your suggestions and hope it will work. It seems right.

Do you have any idea of how they get into the OBi in the first place?

It is a weird thing, the hacker calls again and again on several lines. We are Sabbath observers and will not pick up the phone on Saturday.

I have seen my home alarm central station do this. When they want to program our system they will tell us that they will be calling rapid fire several times in a row and that we should not pick up the phone. They somehow get into the alarm control so that they can program. It seems like there is some sort of weak spot in the Obi where if the hacker knows your phone number and knows that you have an OBi, he can get into your system.

While you're "hardening" your OBi, you should also change its admin password (the default is "admin"!), to a nice long random string of characters.

As for the alarm system, no, that access method wouldn't apply to the OBi.  The alarm system's firmware listens for and counts rings on inbound calls.  Depending on the manufacturer and service provider, the alarm system is programmed to answer the phone after a certain sequence of rings (e.g. one ring and hang up, then another ring within x seconds).  When it recognizes that pattern, it answers the call, which enables it to communicate with the central station or service provider via the alarm system protocol.

SteveInWA

Quote from: SteveInWA on March 06, 2016, 09:53:55 PM
Quote from: sp508 on March 06, 2016, 08:22:14 PM
Thank you so much!! I have been literally struggling with this for two weeks. Phones would be effectively disabled because they were auto forwarded. Unfortunately OBi tech support had really NOT been helpful with this.

I implemented both of your suggestions and hope it will work. It seems right.

Do you have any idea of how they get into the OBi in the first place?

It is a weird thing, the hacker calls again and again on several lines. We are Sabbath observers and will not pick up the phone on Saturday.

I have seen my home alarm central station do this. When they want to program our system they will tell us that they will be calling rapid fire several times in a row and that we should not pick up the phone. They somehow get into the alarm control so that they can program. It seems like there is some sort of weak spot in the Obi where if the hacker knows your phone number and knows that you have an OBi, he can get into your system.

While you're "hardening" your OBi, you should also change its admin password (the default is "admin"!), to a nice long random string of characters.

As for the alarm system, no, that access method wouldn't apply to the OBi.  The alarm system's firmware listens for and counts rings on inbound calls.  Depending on the manufacturer and service provider, the alarm system is programmed to answer the phone after a certain sequence of rings (e.g. one ring and hang up, then another ring within x seconds).  When it recognizes that pattern, it answers the call, which enables it to communicate with the central station or service provider via the alarm system protocol.

And, change your OBiTALK account password.  If you are logging into OBiTALK using a Google Voice account via OAUTH, then there are further steps to take to harden access.

Taoman

Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?


I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.


sp508

I have three other OBi 508s. Many of the SP are GoogleVoice. I assume that I should enable the
X_AcceptSipFromRegistrarOnly for all ports?

Also, what is the appropriate X_AccessList for GV.

Re: 'If you are logging into OBiTALK using a Google Voice account via OAUTH'. I think I am. I log in via browser and add GV using the OBitalk interface and GV password. What steps should I take.

I didn't realize that they could dial in via ip and then enter a star code. Even though I have disabled direct IP dialing, what is to stop them from dialing in from an outside line and entering star codes.My calls are answered by a regular answering system, they are therefore IN the system and can theoretically enter codes or even enter ***8 and reset my device????


SteveInWA

Quote from: sp508 on March 07, 2016, 03:21:01 AM
I have three other OBi 508s. Many of the SP are GoogleVoice. I assume that I should enable the
X_AcceptSipFromRegistrarOnly for all ports?

Also, what is the appropriate X_AccessList for GV.

Re: 'If you are logging into OBiTALK using a Google Voice account via OAUTH'. I think I am. I log in via browser and add GV using the OBitalk interface and GV password. What steps should I take.

I didn't realize that they could dial in via ip and then enter a star code. Even though I have disabled direct IP dialing, what is to stop them from dialing in from an outside line and entering star codes.My calls are answered by a regular answering system, they are therefore IN the system and can theoretically enter codes or even enter ***8 and reset my device????



FOUR OBi 508s?  What sort of spam/robocall/telemarketing operation are you running?  You're violating Google's Terms of Service.  You're lucky Google hasn't caught you yet and shut your numbers down.

http://www.google.com/intl/en_US/googlevoice/program-policies.html

Aside from that, GV doesn't use SIP, so the settings Taoman mentioned are not applicable to your GV SP slots.

sp508

No, no robo calls at all (I hate them as much as everyone does!)

I use the GV to enable campers in an overnight camp to call their parents. They all come at the same time so I set up a bunch of phones for them to use. I do it to make it easier for the kids to call home (at a great personal cost I may add). If you want to see which camp it is I will send you our web address privately.

Is X_AccessList also not applicable?

What kind of hardening do you recommend for GV?

Also, if a lot of kids call home at the same time over several hours (they all call home Friday afternoon) will GV shut me down even though I am legit?? Or will they give me the opportunity to show that I am legit.

SteveInWA

Quote from: sp508 on March 07, 2016, 03:37:43 AM
No, no robo calls at all (I hate them as much as everyone does!)

OK.  You get a gold star.

Quote
I use the GV to enable campers in an overnight camp to call their parents. They all come at the same time so I set up a bunch of phones for them to use. I do it to make it easier for the kids to call home (at a great personal cost I may add). If you want to see which camp it is I will send you our web address privately.

No thanks, but that sounds like a camp for entitled little whiners and their Millennial helicopter/whiner parents .  Queue the "When I was a kid, we had to walk a mile to the camp outhouse and use leaves for TP." grousing.

::) ;D ::) ;D

Quote
Is X_AccessList also not applicable?

Correct.  The hackers wouldn't likely be coming in via Google Voice, unless you are using trivial passwords and giving them out to the kids (who knows what evil lurks in the minds of little deviants).  :o

Quote
What kind of hardening do you recommend for GV?

Also, if a lot of kids call home at the same time over several hours (they all call home Friday afternoon) will GV shut me down even though I am legit?? Or will they give me the opportunity to show that I am legit.

Your acquisition of multiple GV numbers isn't legit (ToS violation), regardless of what you are doing with them.  I recommend getting rid of those rule-breaking GV accounts, and just signing up with a SIP VoIP provider with a bunch of outbound channels and pay-per minute pricing.  If these phones are just being used for outbound calling, there really isn't a reason to pay for and keep track of inbound telephone numbers for each one.  You could assign the same, single DID (inbound) number to all the phones.  Add a small fee to the camper's bill for phoning home if becomes a financial burden, but the cost of channels and outbound minutes is really cheap these days.

Heck, our forum member Sam_from_Circlenet is practically giving it away.

LTN1

#10
I don't have an OBi508vs so am not sure if it has a configuration to restrict calls to certain area codes.

I use a FortiVoice (formerly TalkSwitch) system for my work and it has the ability to restrict calls and limit calling privileges on a per extension basis. The cost of a professional PBX system like mine would be less than 4 OBi508s (phones not included) and if used with a SIP provider, like Steve suggests, would provide the lines and security that would likely save money and frustrations in the long run. Additionally, as a hybrid PBX, it can also be connected to a few OBi202s to use analog lines with GV. The benefit is that it can add a measure of security and call restriction on top of the OBis--assuming they were plugged into the FV PBX to add analog (in addition to SIP) lines.

How many concurrent lines does the OP really need? Seems like these kids are really being spoiled.

Personally, if I were running a camp like this, I would place a limit on the number of phones campers could use...and they'll just have to wait their turn. If, on the other hand, the camp is for rich spoiled kids, it doesn't seem like a big deal to factor into the price of the camp, the telecommunications cost for these campers, if it has to go that way. If so, I would go with a SIP provider as Steve suggests. But for security purposes, I would go with a PBX that has additional layers of security like call restrictions (or call blocking) and a per extension privilege restriction.

sp508

Just to clarify. I am not using four OBi508s for the campers. One OBiis in the city office and three are at the camp. Of the three at the camp, two are used for the business offices and use PhonePower. The third OBi is used for campers. Last summer they too used PhonePower.

This summer I was thinking of using GV for the camper lines to save myself the PhonePower cost. I did not realize it that it is against ToS. I will look into your suggesting or go back to PhonePower for the kids.

BTW: It is a not-for-profit camp. Kids aren't spoiled - they are great kids. The idea was mine because I am a techy kind of guy.

I do use one GV for myself and SteveInWA had mentioned that there is a way to harden OAUTH. I am interested in how to do that.

sp508

THEY HACKED ME AGAIN

Even with all the setting changes that you recommended they just hacked me. HELP, what should I do??

I did the following:

http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing

X_AcceptSipFromRegistrarOnly (if you find this setting, check the box and save your settings)

Taoman

Quote from: sp508 on March 07, 2016, 07:07:25 AM
THEY HACKED ME AGAIN

Even with all the setting changes that you recommended they just hacked me. HELP, what should I do??

I did the following:

http://www.phonepower.com/wiki/Obihai_Lite#Disable_Direct_IP_Dialing

X_AcceptSipFromRegistrarOnly (if you find this setting, check the box and save your settings)


Wow. Just woke up and I haven't had any coffee yet so I'm not thinking too clearly at this point.

Are you forwarding any ports in your router?
Do you have your OBi in a DMZ?
Exactly what kind of router are you using? (make and model)
Who is your ISP and what modem is being used?

Can you describe in detail (and maybe with a diagram) your entire network? Show the signal path between your OBi and your ISP. Are there ANY other points of entry into your network besides from your ISP?

Without coffee that's all the questions I can think of right now.

PS. Just out of general principle I would be changing all my passwords on all my devices to something VERY complex. This may be a brute force dictionary attack.

LTN1

Just wondering if there is a malware on the OP's computers so that every stroke or change made is readable by the hacker? If that is the case, changing to the most complex password will not help if a hacker is able to determine what exactly is being typed.

I would try (this is just brainstorming) to use a completely different laptop to change all the passwords (to a complex one at that) and see if that will prevent any hack.

I would also do a malware scan of all camp related computers and laptops...including personal devices used in the past to make the changes.

One should not rule out an internal hack or at least someone having access to that person.

sp508

Thanks VERY much for trying to help.

Using Verizon FiOS Router/Modem M1424WR. There is limited port forwarding see below with explanation.

Obi is not in DMZ
Not sure what you mean by signal path between Obi and ISP.

The wiring is OBi to router to Verizon. There are several computers on the system. They were all checked for viruses using AVAST and MalwareBytes. My server is behind Bitdefender.

In the past week I changed all SP passwords, GV password, I reset the router and changed the password. All the passwords were complex passwords.

I just looked at the local call history for the latest breach which occurred at 9AM EST and there were NO entries. Usually there is an indication of a call.

Is it possible my hacker is part of a 'TRUSTED' group?? I don't have any that I know of.

==================================
Router settings explanation:
100 - website
107 and ISY for conrolling lights, Teredo (don't know what that is, it seems to come automatically I think having to do with IPv6)
localhost
127.0.0.1   Verizon FiOS Service
Tcp Any -> 4567   All Broadband Devices   Active   
   192.168.1.100
Destination Ports 8002
TCP Any -> 8002
UDP Any -> 8002   All Broadband Devices   Active   
   
   192.168.1.7
Destination Ports 1031
TCP Any -> 1031
UDP Any -> 1031   All Broadband Devices   Active   
   
   192.168.1.100:60301
Skype UDP at 192.168.1.100:60301 (3352)
UDP Any -> 60301   All Broadband Devices   Active   
   
   192.168.1.100:60301
Skype TCP at 192.168.1.100:60301 (3352)
TCP Any -> 60301   All Broadband Devices   Active   
   
   192.168.1.100:57179
Teredo
UDP Any -> 57179   All Broadband Devices   Active   
   
   192.168.1.181:62294
Teredo
UDP Any -> 62294   All Broadband Devices   Active   


sp508

I did this. I reset the OBi, went off site and used a computer that didn't belong to me. I started from scratch with a newOBiTalk account and ALSO put the OBI behind its own router. The hacker still got in. I think that pints to a weakness in the OBi not a keystrok logger, correct?

Quote from: LTN1 on March 07, 2016, 07:33:07 AM
Just wondering if there is a malware on the OP's computers so that every stroke or change made is readable by the hacker? If that is the case, changing to the most complex password will not help if a hacker is able to determine what exactly is being typed.

I would try (this is just brainstorming) to use a completely different laptop to change all the passwords (to a complex one at that) and see if that will prevent any hack.

I would also do a malware scan of all camp related computers and laptops...including personal devices used in the past to make the changes.

One should not rule out an internal hack or at least someone having access to that person.

sp508

If someone was following my keystrokes, why would they need to call in a bunch of times. Doesn't make sense.

Somehow they are getting into the OBi.

Is it possible that if I avoid using SP1 which is what they keep on going after, they won't be able to get in again because I have hardened the OBi??

Taoman

The 508 apparently supports 9 VoIP accounts. Are all 9 being used for separate PhonePower lines? If not, how are they configured? The configuration changes you made should have stopped them. This makes me think they are using another route to get to your OBi.

What is the purpose of your "server?" Who all has access to it? How do they access it?

sp508

I have 7 PhonePower accounts and one GV. The OBI508 has 8 ports but 9 SPs. I just deleted SP1 because of the problem and inserted SP9 in its place. Last time I deleted SP1 he then needed to call in to re-hack my system.

Just now when the hack was taking place. I was on a call on line 2 (SP1). I noticed that the light on line 1 (SP1) was on even though no phone calls came in.

My phone system is an old Panasonic 1232 with 12 CO lines and multiple extensions. I can therefore see which lines are being used. BUT if he 'called' into line 1 internally why would the indicated on my PBX show that light as being on???

The server is for camper registration. It is SSL.

Are you worried about the 'Teredo '