Obi508 Hacked

Started by sp508, March 06, 2016, 06:20:26 PM

Previous topic - Next topic

LTN1

Quote from: sp508 on March 07, 2016, 07:54:15 AM
If someone was following my keystrokes, why would they need to call in a bunch of times. Doesn't make sense.

Somehow they are getting into the OBi.

Is it possible that if I avoid using SP1 which is what they keep on going after, they won't be able to get in again because I have hardened the OBi??

What service provider are you using for the SP1 slot?

sp508

I was using PhonePower. I justed deleted it and moved to SP9 with a hope that the problem would go away.

Taoman

Quote from: sp508 on March 07, 2016, 08:05:38 AM

Are you worried about the 'Teredo '

I am concerned that there is another pathway into your network that I am unaware of.

I can give you two more options to harden your PhonePower configuration but I'm not real hopeful since the first two configuration changes should have done it. As mentioned, I think another route is being used to access your OBi.

Change your UA port to 12060.
http://www.phonepower.com/wiki/Obihai_Lite#Obihai_SIP_Port_Change

Change your Voice Service>SPX service>X_InboundCallRoute to {>XXXXXXXXXX:phx}

where XXXXXXXXXX is your PP phone number and x is your desired phone port.

sp508

Would I do 12061 for the next port and so on??

Taoman

Quote from: sp508 on March 07, 2016, 08:55:29 AM
Would I do 12061 for the next port and so on??

No. PP SIP server won't be listening on port 12061. Just do one line for now and make sure you can register successfully. PP SIP servers are sometimes slow to detect a registered UA on port 5060 is no longer really there.

sp508

Okay sp9 is set and works, should I do SP2? If so what settings: Is it also 12060 and {>XXXXXXXXXX:phx}?

Taoman

Quote from: sp508 on March 07, 2016, 09:22:29 AM
Okay sp9 is set and works, should I do SP2? If so what settings: Is it also 12060 and {>XXXXXXXXXX:phx}?


Yes.

sp508

okay trying

Noticed that X_AcceptResync is set to 'Yes without authetification' is that coreect

sp508

I did for all my PP SPs. I did not do for my one GV SP. I assume that is correct?

Any other steps??

Taoman

Since I don't know what's going on and I don't know the OBi50x series and since you've moved SP1 to SP9, just to be overly paranoid I would disable the SP1 service.

Voice Service>SP1 Service>Enable  (uncheck the box and save your settings)

SteveInWA

Wow, sorry to hear about this.

Just following up on my comment and your subsequent question about GV security:

I assume that you've updated your OBis to their latest firmware level.  Since none of us have a 508, we can't look for you, but according to this forum's firmware section, the latest build is 4764 from June 2015.  The build level and release note information in that section are poorly maintained, so I suggest contacting Obihai about your issue in general, to see if they have any ideas.

Using the 2015 or newer firmware, access to one's Google Voice account no longer stores your Google account password on the device.  Instead, during the process of you provisioning GV on an OBi, via the OBiTALK web portal, OBiTALK will use the OAUTH 2.0 protocol to securely request and, with your approval, obtain a secure access token for the Google Chat service used by OBi devices.

I am not a security expert, so I don't know if the attacker is using your GV account(s).  I doubt it.  But, as we've been discussing, a shotgun, pre-emptive change of all passwords would be a good idea. 

If you can, I would delete all of the Google Voice SP configs on your OBi(s).  Then, log into your Google accounts and go here:  https://security.google.com/settings/security/permissions?pli=1

Find and click on, and then delete, all the permissions that have the tiny OBiTALK logo to the left, e.g. "Google Voice".  Delete any permissions for apps you don't use or don't recognize.

This will delete the OAUTH 2.0 permission that had been granted for OBiTALK.

Change your Google account passwords to new, unique (not used on any other website) passwords.

There are also two potentially different passwords for OBi stuff:  when you sign into your OBiTALK dashboard account, you either use a user ID and password you created specifically for OBiTALK, or you use your Google account password, again, via OAUTH.  Figure out which method you are using, and change the password accordingly.  Then, each OBi device has an admin password.  If you haven't changed those, do so now.

SteveInWA

This is off-topic and probably not your issue, but I re-read the discussion thread, and noticed:

QuoteUsing Verizon FiOS Router/Modem M1424WR

I've been a FiOS customer since day 1 of availability here.  I was originally given one of those routers.  Actiontec made several revisions of the device, so my experience with the 1st gen could be different than yours.  The router had confusing and unusual configuration menus and poor performance.  I got rid of it years ago, and I have upgraded routers several times since then, all Linksys consumer routers.  I now use a current-generation Linksys router with AC1900 WiFi. 

Verizon (well, now Frontier) doesn't care what router you use, although their tech support may whine a bit if you call in a problem, since they like to remote into the Actiontec routers for problem determination.  Your FiOS ONT (Optical Network Terminal) creates the fiber<-->Ethernet bridge, and whatever router is plugged into it will obtain the DHCP lease from the host.  There's nothing special or magic about needing to use that old Actiontec router, and I have no idea if it has any security vulnerabilities.  The fact that you cascaded another router downstream of the Actiontec should mitigate that, but you really don't need two routers.

sp508

Okay they got me again! I am attaching a log of the local settings. Somehow they got and changed the same four: SP!-SP4.

Again the light on my line 1 (phone number ending ...515, now SP9) was on. Even though SP9 was not effected. When I broke into and confeenced the line there was beeping. The beeping was not like a fax machine just tones.

The log contains SP1-4 wich were hit and then SP( which was not hit and SP5,6,7,8 are the same.

PLEASE HELP.

Called OBi and 'they will get back to me.' I have been waiting for two weeks for any kind of real help from them.

Ostracus

Quote from: Taoman on March 06, 2016, 11:04:26 PM
Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?


I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.



My reading of the manual indicates star codes can only be entered via the PHONE port.

sp508

They are continuously hacking SP1, SP2, SP3 and SP4.

They seem to be able to do it at will.

It most definitely has something to do with them calling in. But I don't know how they do it.

I have a PBX which after a certain number of rings picks up the call.

But they [seem to be able to light up the light on the PBX without the phone ringing. I am not positive about that but pretty sure. I don't know how they do that.

LTN1

Quote from: sp508 on March 07, 2016, 06:19:30 PM
They are continuously hacking SP1, SP2, SP3 and SP4.

They seem to be able to do it at will.

It most definitely has something to do with them calling in. But I don't know how they do it.

I have a PBX which after a certain number of rings picks up the call.

But they [seem to be able to light up the light on the PBX without the phone ringing. I am not positive about that but pretty sure. I don't know how they do that.

Regardless of whether there is a security defect in the OBi508vs device or not, I doubt that you will get the support that you need here. If you are determined to continue to use your 508, a high tech security consultant would be helpful. The problem is that the fee charged would likely far exceed your 508.

Would you consider going to a more secured system like this: https://www.corporatearmor.com/documents/talkswitch_datasheet.pdf (or equivalent, regardless of product manufacturer)

Taoman

Quote from: sp508 on March 07, 2016, 07:40:14 AM
I did this. I reset the OBi, went off site and used a computer that didn't belong to me. I started from scratch with a newOBiTalk account and ALSO put the OBI behind its own router. The hacker still got in. I think that pints to a weakness in the OBi not a keystrok logger, correct?

Given that you say you've done all the above in addition to the configuration changes I suggested I am at a loss. Unless there is a "feature" or defect in the OBi508 I'm unaware of I just don't see how this could be an external hack. I'm no network guru but it seems like they are accessing your OBi device from your internal network. But that's just a guess.

Edit: I guess I missed the PBX part. How is your PBX connected to the OBi and the outside world? Continuing on my guess, could they be hacking your PBX to get to your OBi?

What exactly has Obihai support said to you? Have they asked you to set up a syslog?

Taoman

Quote from: Ostracus on March 07, 2016, 06:12:09 PM
Quote from: Taoman on March 06, 2016, 11:04:26 PM
Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?


I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.



My reading of the manual indicates star codes can only be entered via the PHONE port.

Seems logical. Just didn't know if things might be different with the 508.

Taoman

#38
Quote from: LTN1 on March 07, 2016, 06:40:30 PM

Regardless of whether there is a security defect in the OBi508vs device or not, I doubt that you will get the support that you need here. If you are determined to continue to use your 508, a high tech security consultant would be helpful. The problem is that the fee charged would likely far exceed your 508.

You may very well be correct. I would hope there will be more help from Obihai support forthcoming.

Edit: I'm going to reach out to a couple top notch VoIP troubleshooters and see if they'd be willing to take a look at this thread and perhaps offer a suggestion. It's certainly over my head.

sp508

Thanks for all your help! really.

OBi has done almost nothing. No, no syslog. They do not respond to support tickets (perhaps once or twice with very curt and lame suggestions). They did not try to 'harden' the OBi the way you suggested. When I call they want me to get off the phone.

I called again today and demanded some attention and help. I sent them an entire log of what was going on but so far no response.

Re PBX: The PBX CO lines are connected to the OBi. The PBX has NO connection to the outside world other than the CO lines going to the OBi and electric power. So a call would have to go through the OBi to ring on the PBX. Don't see how they could hack the PBX. When you hit * on a voicemail it the Voicemail hangs up on you.

Perhaps they are in my network with a virus. But if so they are accomplishing nothing. Long distance calls are disables at PP. As I mentioned, I did extensive virus scanning. I set up a new OBi at a different location with a firends computer and still they got in.

It really seems that the only thing that stayed the same in the whole process is the phone number that is being hacked called and SP1-4 being changed.