Obi508 Hacked

Started by sp508, March 06, 2016, 06:20:26 PM

Previous topic - Next topic

LTN1

Quote from: sp508 on March 07, 2016, 06:52:05 PM

It really seems that the only thing that stayed the same in the whole process is the phone number that is being hacked called and SP1-4 being changed.


Perhaps a cheaper solution is to change the number but if it is a main number as on business cards, letterheads, etc., quite a sacrifice to take.

sp508

Probably will go with Vonage for that one line and see what happens.

SteveInWA

Quote from: Ostracus on March 07, 2016, 06:12:09 PM
Quote from: Taoman on March 06, 2016, 11:04:26 PM
Quote from: sp508 on March 06, 2016, 08:22:14 PM

Do you have any idea of how they get into the OBi in the first place?


I would assume sip scanners found your OBi device on port 5060. They then dialed your device via anonymous ip in order to send a star code to enable unconditional call forwarding along with the desired number. At least that's my best guess. The two configuration changes you made should nip that in the bud.



My reading of the manual indicates star codes can only be entered via the PHONE port.

After mulling this over while running errands today, I was going to post this same comment.  I don't see how anyone could attack the device over a phone call, regardless if they're calling the PSTN number or via a direct SIP URI.

It's why I spent time emphasizing generic account password hardening, on all points of entry:  the OBiTALK account portal user ID/PW, the administrative password for the OBi 508's own web server interface, and the SIP credentials.

Aside from that, I believe this is an "inside job", meaning, somebody is gaining access to your LAN.  Are you running a web server, for example, with open ports, that could be compromised?  Anyone with access to port 80 on your LAN and knowledge of the OBi's password could do this sort of damage.

ianobi

With reference to replies #22 to #26, concerning UserAgentPorts, I think there has been a misunderstanding.

I do agree with Taoman that you should change these away from the defaults. However, 5060 and 12060 are the PhonePower servers' "SIP listening ports". These values can be set here:
Service Providers -> ITSP Profile X -> SIP -> ProxyServerPort : 12060
This will have no effect on scanners looking for a way in to your OBi.

The UserAgentPort is the "SIP listening port" for each individual OBi spX. They should all be different. Set them at random numbers above 32000. Each OBi spX will send a REGISTER message to the PhonePower servers telling them where to send calls to ipaddress/port – the port will be whatever you have set in the UserAgentPort. This is a sensible change for all OBi owners as one more measure to defeat SIP scanners.

I don't use PhonePower, but I note that on their website there is advice on changing the SIP port of their softphone:
QuoteClick on the check box Open random port above 32000 to allow the entry field to be modified and type in the requested SIP port.

Up to now you have only used default UserAgentPort settings and the advertised 12060, so scanners will be having an easy job getting in to your OBI. Using random ports above 32000 will make it much harder. Of course, if the problem is an "inside job" as Steve describes, then it will not help, but it is a good safety measure in any case.

Good luck with solving your problem.


sp508

Thank you everyone for your help!!!

Last night at around 11 PM a call came in on Line 2. Caller ID showed private. I didn't take the call but the call went to VM on my desk. My voicemail allows me to screen messages and pick up as the messages are being left. I was able to hear that tones were being dialed.

Then the indicator light on Line 1 went on. This happened without any incoming call. I barged into Line 1 and heard tones again.

There were a flurry of incoming calls.

My phone system is an old analog system. It has several ports that are for VM. Those ports had access to all CO lines (including 1 & 2).

I am wondering if the hacker is simply getting into my voicemail. Dialing 9 to get an outside line. Then he dials *72 (All Call Forward) to his Cuban number and thiis is the way he hacks!

I have since disabled CO access to the VM ports and put a password on the Voicemail Extension that he was using.

Scary to think that he would know which phone system I have, know my phone numbers and call in when the phones aren't being used for a while.

Now, if this is the way he hacked is it correct to say that he would not need to do any additional programming on the OBi. Remember SP1-4 and OBiTalk Service are all enabled for this field CallForwardUnconditionalEnable with a specific Cuban phone number.

What does everyone think???

Just to get it out there: The number he is calling from is 239 234 4377/8 is there a way to see where he is calling from?? It says Naples, Florida on the Caller ID. AND does anyone have experience with that number being a hacker?

Orple

wow, I'm so sorry. This seems to be a dangerous man that needs to be reported. The number belongs to Ymax Communications in Naples, FL and is voip. White pages has the number listed as scam/fraud. He is sexually abusing and hacking into people's accounts, including bank. He uses Craig's list, facebook, every means possible. He goes by many names. One person said it is a MagicJack number and when he/she received call from this number it was a friend stationed overseas but number could belong to someone else now. But, another commentor said he claims to be a marine stationed in Somalia (same country told to other people too) so I suspect the one to claim him as a friend is also being scammed. Good luck.

LTN1

#46
Quote from: sp508 on March 13, 2016, 05:42:03 AM

My phone system is an old analog system. It has several ports that are for VM. Those ports had access to all CO lines (including 1 & 2).

I am wondering if the hacker is simply getting into my voicemail. Dialing 9 to get an outside line. Then he dials *72 (All Call Forward) to his Cuban number and thiis is the way he hacks!

I have since disabled CO access to the VM ports and put a password on the Voicemail Extension that he was using.

Scary to think that he would know which phone system I have, know my phone numbers and call in when the phones aren't being used for a while.

Now, if this is the way he hacked is it correct to say that he would not need to do any additional programming on the OBi. Remember SP1-4 and OBiTalk Service are all enabled for this field CallForwardUnconditionalEnable with a specific Cuban phone number.

What does everyone think???

Just to get it out there: The number he is calling from is 239 234 4377/8 is there a way to see where he is calling from?? It says Naples, Florida on the Caller ID. AND does anyone have experience with that number being a hacker?

Having experienced using and configuring analog to IP PBXs for over 10 years for my own work (though I'm not an IT professional), it is now clear to me that the security weakness in your configuration lies not with the OBi508vs but with your PBX system that is behind the OBi.

If you want to keep some sort of call bridge or call forwarding (whatever it is called in a particular PBX system), you have to set up a strong enough password that requires manual input each time a person externally calls in to use that feature. If your PBX doesn't require a strong enough manual password to dial out on a call bridge/forwarding, you are stuck with turning off that feature for the entire system or upgrading to a more secured PBX if you want such a feature.

sp508

I disabled calling out for the VoiceMail ports. So theoretically he cannot call out.

But how can he do CallForwardUnconditionalEnable on SP1-4 and ObiTalk via by just using the phone keypad??

LTN1

#48
It is highly unlikely that he can reconfigure the call forwarding part of the OBi from a phone keypad since none of us can. It requires knowing the password and going into the OBi dashboard to make such a configuration. Based on the OBi abilities at this time, I would say it would not be possible to make the configuration that way by mere key tone entry remotely.

In addition to turning off that feature when in your VM, do you have any type of auto-attendant that allows for that remote call forwarding feature? If you do, then you should turn it off there to.

sp508

It does seem like once I get him out of the system by deleting an SP or the like, he needs to CALL in to get back in. Once he gets in he seems to be able to change the settings without calling in.

Is it possible that there is a two step process: He needs to call in to get some information or two enable something that allows him access (perhaps adding himself as a Trusted member). Then, once he has breached the system, he can make changes online without calling in??

This is the way it seems to happen each time.

LTN1

Your problem is with your PBX system, not the OBi.

If your PBX system allows for remote configuration (that is, calling in from an outside line), then an outside caller, with the master password can technically call in and reactivate the call bridging/forwarding feature that you have on your PBX system.

The caller will unlikely be able to remotely reconfigure your OBi device by keypad alone. It will require hacking into your online OBiTalk dashboard also.

The bottom line is, you have a problem with the security of your PBX. It is not related to the OBi, except once your PBX has been hacked, it uses the OBi lines to call out. If you can stop any remote configuration changes to your PBX, that would likely solve your immediate problem.

If you can't secure your PBX, then it is time to get another PBX with better security features.

sp508

I put passwords on all PBX extensions. I disabled outside CO lines on the PBX. So I believe the PBX is secured now.

Still don't know how he did all the programming on OBi local. Any clues?? I assume he could do *72, but does that get migrate to the local Obi settings???

Apparently, he is a known hacker http://whocallsme.com/Phone-Number.aspx/2392344378

I wonder if I should report to the FBI.

LTN1

Quote from: sp508 on March 13, 2016, 12:38:55 PM
I put passwords on all PBX extensions. I disabled outside CO lines on the PBX. So I believe the PBX is secured now.

Still don't know how he did all the programming on OBi local. Any clues?? I assume he could do *72, but does that get migrate to the local Obi settings???

Apparently, he is a known hacker http://whocallsme.com/Phone-Number.aspx/2392344378

I wonder if I should report to the FBI.

I don't have the 508 but part of the advertising says:

Software Feature Highlights:

    Call Signaling for Up to 8 SIP-Based Voice Services: SIP (UDP/TCP/TLS)
    OBiTALK Calling: Allows for Voice Communications Between OBi Devices and Smart Phone Apps
    VoIP Codecs Supported: G.711, G.726, G.729, G.722, iLBC
    Fax Over IP: T.38 Real-Time Fax over IP, G.711 Transparent Fax (Automatic)
    Obihai Call Routing and Bridging Technology: Allows for Full-matrix Switching Amongst Available Services (VoIP, Land Line or Mobile Phone) and/or Ports
    Secure Provisioning and Management via the OBiTALK Cloud or via TFTP, HTTP/S or via Integral Web Page
    Globally Localizable: Allows for Country-Specific Dialing, Ringing, In-call Tones and PSTN (FXO) Interoperability - Requires OBiLINE USB to FXO Adapter(s)

You can additionally disable all of the call forwarding/bridging capabilities of the OBi508vs.

I think what I am seeing here is the headache of using lower end PBX systems, including the OBi508vs. They're just not designed to be user friendly in warding off a sophisticated hacker. It's not what you want to hear but I want to bring this point up so you don't fully blame Obihai or your lower end analog PBX system for everything the hacker is doing. There's a reason why businesses spend tens of thousands of dollars on security devices and software--and a $400 device isn't going to be up to par with the higher end ones.

LTN1

Here's a sample configuration page in my PBX that allows for limited access and PIN security for any outbound calls. It has many features, including the ability to easily stop any call bridging/forwarding with a check or uncheck.

Since it is a hybrid PBX, it even allows for the OBi202 to be connected to some of its analog phone lines. Say you have a two OBi202 lines connected, all incoming and outgoing calls will be handled by the PBX. The only purpose for the OBi202 is to provide telephone lines. Security is regulated at the PBX level.

The system that we have employs a number of redundant features. It includes landlines that won't go down in case of a long-term power failure. It employs pure VoIP lines like CallCentric, Localphone, etc. It even has GV lines through the OBi device--which is useful for its T.38 feature.

The system (not phones), when purchased new, was only $1500. It has 4 analog lines and 8 SIP trunks (for VoIP lines)--for a total of 12 concurrent lines. I have an extra identical system as a backup or to act as a daisy chain if we needed more lines--but that is unlikely since for our small office, 12 lines is more than enough. Out of that 12 lines, we can program up to 70 extensions either locally or remotely. For example, in your camp situation, you can actually operate using one system at the main office and just set up VoIP extension phones connected to the camp's LAN and it will be exactly like an extension phone at the main office hundreds of miles away.

Consider upgrading if your system isn't secure or easy to use.

sp508

So far so good. ever since I password protected the voice mail extensions and disabled the VM ports from being to make outgoing calls (hence  having access to the OBi ports) the hacker has not attacked.

i sent a request to OBi tech support asking how to disable 'Bridging' but have not gotten a response.

To LTN1. My analog system has 24 CO lines and appx 90 extensions along with integrated Voice Mail. I am loath to switch - unless, of course, I have to.

I would love to have a brand new VOip system, but my understanding is that I would need an CAT5 connection to each phone. My extensions are spread out over 60 acres and rewiring would cost $20,000+.

LTN1

Quote from: sp508 on March 14, 2016, 05:55:55 PM
So far so good. ever since I password protected the voice mail extensions and disabled the VM ports from being to make outgoing calls (hence  having access to the OBi ports) the hacker has not attacked.

i sent a request to OBi tech support asking how to disable 'Bridging' but have not gotten a response.

To LTN1. My analog system has 24 CO lines and appx 90 extensions along with integrated Voice Mail. I am loath to switch - unless, of course, I have to.

I would love to have a brand new VOip system, but my understanding is that I would need an CAT5 connection to each phone. My extensions are spread out over 60 acres and rewiring would cost $20,000+.

Good to hear that it is working. If something works, no need to change...I only brought up the possibility for an upgrade PBX if it doesn't work.

If, however, you plan to one day upgrade to an IP system and move away from your analog PBX, the cost of ethernet or CAT5 connections won't be nearly as large if you go with WIFI capable ethernet hubs at remote areas of your compound. Assuming you have WIFI signal boosts/extenders throughout your large compound, you would only need to install WIFI ethernet hubs near your VoIP connected phones or other devices needing ethernet connection. For the single remote location where you only need a phone or two, you can just get a WIFI enabled VoIP phone for that location without the need to set up a WIFI ethernet hub.

The sample WIFI ethernet hubs that I'm talking about are here:
https://www.iogear.com/product/GWU647/
http://www.newegg.com/Product/Product.aspx?Item=N82E16833150130&nm_mc=KNC-GoogleAdwords-PC&cm_mmc=KNC-GoogleAdwords-PC-_-pla-_-Network+-+Firewalls-_-N82E16833150130&gclid=Cj0KEQjw5Z63BRCLqqLtpc6dk7gBEiQA0OuhsDWylM3uqti2gB26kEMW17DLVlHYasA3JFdukuoVf90aAnyo8P8HAQ&gclsrc=aw.ds

Only do VoIP at your location after testing it on a smaller scale. Otherwise, I like the redundancy and stability of having landlines also in the event there are VoIP connection issues. It cost more but it is the cost of doing business in my opinion. So if you ever transition, I would have a hybrid system as a fallback to one or two landlines if necessary. Otherwise, everything else can go VoIP to save money in the long run.