Security Breach: Calls Out Not Made by Me

[jwcmb]

An email from CallWithUs this morning alerted me that 4 calls out to overseas #s were made from an IP address that is not mine. Somehow the hackers were able to make calls using my SIP userid/password, but I don't think they gained access to my CWU web account.

I changed my account and SIP passwords via Obitalk web first, then asked CWU to change my authentication to IP address only rather than userid/pw.  This was done very quickly after I contacted them, so I am very pleased with their responsiveness.

Questions:

1. Any thoughts as to how they were able to gain access to make these calls?

2. Has this happened to any of you?  If so, which account (GV, CWU, CC, etc) and how did you handle it?

3. Are there any good ways to avoid breaches like this if I go back to userid/pw authentication instead of IP address?

4. How do you protect yourself against these kinds of breaches?

Thanks.

[Shale]

I don't know anything about this, so my questions are just speculative.

1. Do the calls show up in the Call History of your OBi? I suspect not, but it seems worth checking.

2. Was your CallWithUs password pretty simple, such as a name or dictionary word?

3. I would ask if you use that same password on other sites, but I am wondering how if somebody infiltrated a different site, how would they be able to pair that up with your CallWithUs number?

4. Do you use an auxiliary device with your SIP other than the OBi or telephone? Do you, for example have your own PBX or do you run an Asterisk server? It probably sounds like a silly question, but it happens that sometimes people don't mention such things.

5. Do you have anybody on your OBiTalk trusted callers list other than your own phones?

Clearly tougher passwords are much better. I like KeePass as a password manager.


To check the call history log:

1.  If you do not know the IP address of your OBi, find IP address:
from your phone dial ***1 and listen for the IP address.  Write it
down.

2.Let a comma represent a pause. On your connected phone,
dial ***0,30#, 1, 1 (for OBi202 for first time to enable WAN web access).
For OBi100, 110, 200 or subsequent OBi202 access instead dial just ***1.

Your OBi should read your current IP number to you. It is often
192.168.__.__ or 10.0.__/.___ where __ represents some numbers. Write
that down.

3. Enter the IP address that you wrote down into the address box on your
browser. If you don't know what a browser is, that means Internet Explorer,
Chrome or Safari. It could  also mean Firefox,  etc.

Be prepared to enter the password for your OBi. The username is admin.

[jwcmb]

Thanks for the thoughtful questions and ideas, Shale.

1. No, they don't show in my call history, as expected, and they came from a different IP address than mine.

2. CWU password was strong. I assume the password is hashed before transmission over the web (I would hope it's not clear text). I don't understand how would they have intercepted and cracked the login data?  Admittedly the userid could be fairly easily cracked given that it's an integer of a certain length and a certain range, but the pw was strong. CWU database breach? 

3. Nope, pw was unique to CWU.

4. No auxiliary device.

5. No Obitalk trusted callers.

Like you, I also use KeePass.

I'll be interested if anybody reports if they've had a similar breach.

[RFord]

Do you recognize any of the numbers relating to those four calls?  Do you (or someone in your household) have CallWithUs setup on any Smartphone that could be using your sip credentials to make outgoing calls?  Do you have CWU registered on your OBi Device or are you using one of the Gateway accounts?

I use CWU on one of the Gateway accounts and have never had this problem.  I have also setup the same CWU account at another location using a SP2102 ATA and CWU would send e-mail alerts when this occurs.  The same is true if I access the CWU account from a different IP address from the norm.

[jwcmb]

Do you recognize any of the numbers relating to those four calls?  Do you (or someone in your household) have CallWithUs setup on any Smartphone that could be using your sip credentials to make outgoing calls?  Do you have CWU registered on your OBi Device or are you using one of the Gateway accounts?

I use CWU on one of the Gateway accounts and have never had this problem.  I have also setup the same CWU account at another location using a SP2102 ATA and CWU would send e-mail alerts when this occurs.  The same is true if I access the CWU account from a different IP address from the norm.

RFord, no, the calls are not to any number I ever call (I don't call overseas).  I am the only user and do not use a smartphone with my Obi110.

CWU is set up on SP1, not a gateway account.  I have used gateway accounts with this CWU SIP account to make SIP URI calls in the past  (haven't done this recently for months and months). 

Aside: When I had CWU reconfigure authentication for IP address instead of userid/password, they said to be sure to disable registration as my account would be banned otherwise.