Someone Stole My SIP Trunks

March 10, 2015 by Dave Michels

Well, I did it. I committed the cardinal sin – and got caught. Default passwords on my phone system.

Yesterday, I got hacked. About 3 AM my phone started ringing – not a familiar tone. I work up and tried to silence it, but knew something was wrong as there were way too many lights on the phone. I remembered someone at NEC mentioning to me that I should update my passwords, but hadn’t prioritized it.

At home, I have an NEC DSX Key system. It’s a hybrid digital/IP SOHO phone system. I love it because it’s integrated with my home automation (see prior post). NEC has announced the end of life of this beauty, but continues to sell them. I noticed my doctor’s office uses the DSX too.

I had the system set up for remote admin, but not remote phones (port 5060 was blocked on the firewall). The hackers knew their way around the DSX. It is not a web based admin, and requires a client which they clearly had. It looks like they tried to set up remote phones, but couldn’t so just grabbed the credentials off one of my SIP providers (the DSX shows the passwords in clear text on the management client). They then went directly to the SIP provider and started making international calls (3 at a time on one trunk). The SIP credentials are not the same as the SIP admin credentials. I logged into the provider and disabled international calling and restricted calls to one at a time. That seemed to end the attack, so back to sleep.

In the morning, I did some more research and pieced the above together. I blocked the management port I had open on the firewall, and changed the passwords for all of my SIP providers. I also changed the admin passwords on the NEC system, though probably not necessary now that the Firewall will block remote admin anyway. I’d like to restrict the SIP registrations to just my location, but can’t do that because I have a dynamic IP address and none of my providers support DynDNS. I am still unsure why the phone made noise, but I am glad it did. I figure the phone system saw line activity and got confused because no stations were in use. I think it may have been a ring-back tone that woke me, but still unsure.

I was lucky – only had $40 of abuse. Had I not been home, or had the phone system not made noise, it could have been much worse.

By Dave Michels

Dave is an independent analyst and founder of TalkingPointz which is focused on enterprise communications. In addition to this (free and paid) content on TalkingPointz, he contributes to industry sites, can be found at major industry events, and provides advisory services to vendors and financial analysts.

Look ma, no ads!

Admit it! You just can’t look away. Yet, there’s so much more.

Become a subscriber to TalkingPointz for access to reports and premium posts.

There are several ways to stay informed:

Visit this site regularly.
Receive new posts in your email once a week.
Become an Insider or All Access Subscriber for alerts and access to uncensored content.

Become a Member from $49 / month

TalkingHeadz Podcast

The TalkingHeadz podcasts are @DaveMichels and @EvanKirstel chatting with interesting guests. These are unsponsored and unscripted for your enjoyment. You can subscribe on most podcast apps including iTunes.

Listen on iTunes

Podcast

TalkingHeadz with Brad Hintze of Crestron

April 10, 2023

Multi-camera video is best demonstrated in large conference rooms, and that can be a challenge in an expo hall. Crestron solved it: We’re going to need a bigger booth. I experienced Crestron’s 1 Beyond experience in an expo booth with…