News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Obitalk202 hacked, pwned. No fix?

Started by AnotherVictim, May 10, 2018, 05:21:17 PM

Previous topic - Next topic

AnotherVictim

My Obi202 has to be left in a standard IP configuration  because my Comcast (Mototola Arris Surfboard) doesn't allow any choices beyond the normal setup. This weekend it was hacked and taken over for nearly an hour, three times, before I figured out what was going on. Incoming calls at 3-6x per minute, using the 202 to place outgoing calls just as quickly.
Is there no way to secure these boxes against incoming hacks? I use gvoice with mine, but looking at the logs, the hack had nothing to do with that. The lack of configuration options /vs/ the router appears to be a fatal flaw in the 202? Trash time?
Any feds to report this to?

dircom

kind of off topic, but please don't throw electronics in the trash.  Please sell or give them away to someone who can use it.
Others will answer your hijack question.

Mango

#2
Quote from: AnotherVictim on May 10, 2018, 05:21:17 PMMy Obi202 has to be left in a standard IP configuration

We don't know what a "standard IP configuration" is.  You may wish to explain this in a way that we can understand it so that we can give more meaningful advice.

Generally it is good practice to place VoIP equipment behind a firewall to prevent exactly the issue you describe.  Most routers contain a firewall.  If your Arris device is acting as a router, it either does not have a firewall, or the firewall is disabled.

Two common ways to disable your firewall are port forwarding and DMZ.  These should never be used.  Otherwise, your device will be hacked sooner or later.  If you are using port forwarding or DMZ, disable them.

The OBi202 in fact contains a router.  Although it's not an extremely secure one, it should in theory be better than nothing.  Is there any possibility you have enabled configuration via WAN port?  If so, try to disable it and see if that solves your problem.

Quote from: AnotherVictim on May 10, 2018, 05:21:17 PMAny feds to report this to?

Nope.  They don't care unless the amount lost is astonishingly high.  Additionally, the hack probably originated overseas where our law enforcement has no jurisdiction.  The best solution is to configure your equipment properly so that it is secure.

Quote from: dircom on May 10, 2018, 06:14:56 PM
kind of off topic, but please don't throw electronics in the trash.  Please sell or give them away to someone who can use it.

Good advice.

Let us know how things go.  If the problem continues, provide more details about your setup and we'll do our best to help.

AnotherVictim

Mango, you are of course correct.
Normally I try to keep everything as secure, update, and locked down as possible. But offhand, I think it was three years ago when i asked Obi about configuration, and part of the problem is that the Comcast "cablemodem and router" whatever you prefer to call it, has limited configuration options. Apparently you can only configure a very small range of connections, firewall openings, etc. to work with the Obi and vice versa. I don't mean to be vague--I just haven't touched that in a couple of years, since both parties told me "you can't change that" with regards to the default setups.

The Comcast/Motorola/Arris Surfboard certainly does allow for a firewall and that doesn't affect it working as a router. The problem is that apparently the same connection (hole in the firewall) that allows INCOMING calls to originate from outside, allows hacks to originate outside and enter via the same port. The Obi202 then sees incoming data packets the same way it would see all normal (unsolicited) incoming phone call packets--so you can't just say "exclude unrequested incoming packets".
The firewall is there. The problem is, the Obi has to listen to incoming requests from strangers, and apparently there's no way to better secure it. (I'd really like to be wrong about that.) If there was a way to tell the Obi202 "only take unsolicited packets if they originate from..." and give them a range specific to GVoice, that might do the trick. It wouldn't stop a DOS attack from taking the Obi out of service though.
And someone out there seems to be sniffing for, and attacking Obi devices.

GPz1100

With google voice and even sip (callcentric/others), the obi initiates the connection behind the firewall/NAT.  The firewall keeps track of the ip/mac which originated this connection.  Resulting inbound traffic then can only come in/back to the ip/mac which does the origination.  This is the fundamental definition of stateful firewall.

So when a call comes in from google voice/callcentric, it comes in to the device which opened the door in the first place.  Any other inbound attempts are blocked by the firewall.

I run a local pbx with several sip & gv trunks in addition to 2 obi boxes which have 4 or 5 defined ITSP's between them to external (on the internet) providers.  There is no port forwarding or any other pinholes defined in my firewall for this to work.  The only pinhole which does exist is for a unique 5 digit port for a remote udp vpn connection, nothing else.

Most firewalls work in the manner above by default and should not require additional pinholes/dmz to be configured.

Mango

#5
Quote from: AnotherVictim on May 11, 2018, 01:39:13 PMIf there was a way to tell the Obi202 "only take unsolicited packets if they originate from..." and give them a range specific to GVoice, that might do the trick.

You're describing a "restricted cone NAT" router.  You don't even have to configure an IP range; it will be detected automatically.  The router I use is called Tomato firmware, but there are probably many other good ones.  Unfortunately Tomato isn't compatible with Arris hardware, but here's a list of compatible hardware http://tomato.groov.pl/?page_id=69 if you're interested.

GPz1100

Mango, can you post a screen shot of what this setting looks like in tomato?


Mango

There isn't a setting for it on Tomato; it's the default/only behaviour.

Some routers have a setting called something like "secure UDP session control" which does the same thing.

AnotherVictim

Thanks, gpz. Mind you, I haven't touched any configs in 3? years and my router configuring, which yes I used to have a good grasp on, was longer thsn that. I just haven't had any recent need to look at it. IIRC the instructions to set up the Obi202 only allowed one wsy to set it up UNLESS your router would also allow use of the specific IP range that OBI worked with, or vice versa, and the Comcast sanctioned routers, of which the Motorola/Arris Surfboard series were the best, simply could not both use the same range. So, whatever it was out of the box, was all it ever can be. Looking at a new Netgear Nighthawk, also not perfect but Comcast limits choices, to replace it. And I'll look into configuring that for the stateful gateway.
But someone out there is foing DOS attacks on Obi boxes.