Someone Stole My SIP Trunks

by Dave Michels

Well, I did it. I committed the cardinal sin – and got caught. Default passwords on my phone system.

Yesterday, I got hacked.  About 3 AM my phone started ringing – not a familiar tone. I work up and tried to silence it, but knew something was wrong as there were way too many lights on the phone. I remembered someone at NEC mentioning to me that I should update my passwords, but hadn’t prioritized it.

At home, I have an NEC DSX Key system. It’s a hybrid digital/IP SOHO phone system. I love it because it’s integrated with my home automation (see prior post). NEC has announced the end of life of this beauty, but continues to sell them. I noticed my doctor’s office uses the DSX too.

I had the system set up for remote admin, but not remote phones (port 5060 was blocked on the firewall). The hackers knew their way around the DSX. It is not a web based admin, and requires a client which they clearly had. It looks like they tried to set up remote phones, but couldn’t so just grabbed the credentials off one of my SIP providers (the DSX shows the passwords in clear text on the management client). They then went directly to the SIP provider and started making international calls (3 at a time on one trunk). The SIP credentials are not the same as the SIP admin credentials. I logged into the provider and disabled international calling and restricted calls to one at a time. That seemed to end the attack, so back to sleep.

In the morning, I did some more research and pieced the above together. I blocked the management port I had open on the firewall, and changed the passwords for all of my SIP providers. I also changed the admin passwords on the NEC system, though probably not necessary now that the Firewall will block remote admin anyway. I’d like to restrict the SIP registrations to just my location, but can’t do that because I have  a dynamic IP address and none of my providers support DynDNS. I am still unsure why the phone made noise, but I am glad it did. I figure the phone system saw line activity and got confused because no stations were in use. I think it may have been a ring-back tone that woke me, but still unsure.

I was lucky – only had $40 of abuse. Had I not been home, or had the phone system not made noise, it could have been much worse.