"Vishing" advisory targets Asterisk [LWN.net]

By Jake Edge
December 17, 2008

A light-on-details warning—issued late on a Friday no less—had users of the Asterisk telephony platform scrambling recently. It was issued by a US government group that includes the FBI, which tends to attract attention, and warned of unspecified vulnerabilities that would allow "vishing" attacks using subverted Asterisk systems. Vishing is a relatively new scam that uses phone calls in phishing expeditions (the name comes from combining 'voice' with 'phishing'), but typically using systems that are owned and run by the scammers.

Evidently, the FBI received word that Asterisk systems were being subverted by way of a vulnerability (AST-2008-003) reported last March. Systems were then used to make "thousands of vishing telephone calls [...] within one hour" trying to elicit personal information—generally credit card numbers—from victims. By using caller ID spoofing techniques those calls could appear to be coming from the credit card company itself. Typically, a pre-recorded message would give the user another number to call, where they would be prompted to enter the information via an interactive voice response (IVR) interface.

Asterisk is a multi-purpose free software suite that can act as a ~~public~~ private branch exchange (PBX), handle VoIP traffic, do IVR, and more. Because it provides such a general purpose platform, it does make an attractive target. It is probably also enticing to control such a device that is being run by—and can be traced to—someone else. But the folks at Digium—original developers and primary maintainers of Asterisk—don't really think the problem is as bad as was indicated.

The original problem was fixed months ago, so it clearly irks the Digium folks that it has been fingered now. In addition, the original advisory didn't even point to the vulnerability so users and Digium were left to guess what exactly was being exploited. The advisory was updated to include information about AST-2008-003, but there is still some skepticism about the potential for exploitation. On Digium's blog, community manager John Todd thinks the problem was overstated:

While I won't get into the details of configuration specifics, I would say that an administrator would have to consciously configure their system in what I believe to be an extremely unusual way in order to be victimized by this particular vulnerability. The flexibility of Asterisk lets a developer do almost anything, but it seems that there would need to be an almost absurd configuration circumstance that would allow this bug to be harmful in the way described.

While it may well be that this particular vulnerability is difficult to exploit, there will likely be others down the road that are less so. While some users may be getting a little more wary about phishing and email-based scams in general, phone calls have generally been considered more trustworthy. But it is no longer true that phone numbers are definitely traceable back to a physical location with a billed party known by the telephone company. Much of this information can be spoofed or re-routed in ways that make detection more difficult.

Phones have certainly been used in scams over the years, but the advent of caller ID has tended to put an undeserved stamp of authenticity on certain calls. If a pre-recorded message purports to come from GiantCompany and the caller ID entry has that name, it is easy to conclude that the call is genuine. Much of the same effort that has gone into educating the public about phishing will also need to be applied to vishing.

This is certainly not the first instance of PBX systems being abused either. Subverting PBXs for free long distance calls is a longstanding trick in the "phreaking" community. But Asterisk provides a much more capable platform, thus a much more useful tool, both for those that run them and those that subvert them. Asterisk users need to keep that in mind when security issues come to light.

(Log in to post comments)

"Vishing" advisory targets Asterisk

Posted Dec 18, 2008 10:51 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Direct link: http://downloads.digium.com/pub/asa/AST-2008-003.html

Even for those not able to apply the source patch, an effective configuration workaround is mentioned there.

Many of the less-maintained Asterisk systems have a configuration built with the FreePBX system. In the standard configuration of the FreePBX system the default context from the general section is sent to a context that hangs up immediately, and hence would not allow any relayed calls.

And there are other issues to worry about, as stated in the discussion that followed. For instance, there are now more and more remote VoIP extensions. Those normally authenticate by password (technically: a challenge-response protocol. At least in SIP. So passwords are not sent in the clear). Naturally some of them have weak passwords and attackers try to guess such passwords.

"Vishing" advisory targets Asterisk

Posted Dec 18, 2008 18:30 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

it doesn't take someone with a block of phone lines. anyone with VoIP can also set their outbound callerID number.

I've also seen stories about it being possible to forge it from cell phones as well.

"Vishing" advisory targets Asterisk

Posted Dec 18, 2008 19:14 UTC (Thu) by iabervon (subscriber, #722) [Link]

VoIP and cell phones are essentially access to somebody's block of phone lines, which may or may not allow you to do various things. What I was thinking of as "individual phone lines" are the single twisted-pair entering your house and going straight to your phones.

I blame the banks.

Posted Dec 19, 2008 9:42 UTC (Fri) by dwmw2 (subscriber, #2063) [Link]

The really scary thing about phishing is that it's often indistinguishable from the genuine, but stupid, behaviour of the banks.

I often receive phone calls from banks without caller-id at all; their number is withheld. And yet they expect me to trust them, and to authenticate myself by providing 'secret' information.

This kind of behaviour from the banks, along with the fact that they habitually send email without PGP signatures, is actively encouraging naïve customers to submit to phishing attempts — because they just can't tell what's genuine and what isn't.

The regulatory authorities should deal with this, and force the banks to apply some clue to their own outgoing communications. Or failing that, perhaps some criminal prosecutions for aiding and abetting the fraudsters?

I blame the banks.

Posted Dec 19, 2008 16:07 UTC (Fri) by Los__D (subscriber, #15263) [Link]

Errrrr, what?

Luckily we don't have this in Denmark, in fact most banks tell you that they will never contact you and ask for that kind of information.

I blame the banks.

Posted Dec 19, 2008 16:14 UTC (Fri) by dwmw2 (subscriber, #2063) [Link]

Scary, isn't it?

I blame the banks.

Posted Dec 19, 2008 22:35 UTC (Fri) by oak (guest, #2786) [Link]

> Luckily we don't have this in Denmark, in fact most banks tell you that
they will never contact you and ask for that kind of information.

Same thing in Finland (I think it had even been mentioned in TV news when
there was a first large email phishing attempt in Finnish instead of the
normal English spam...).

I blame the banks.

Posted Dec 20, 2008 0:11 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

In the US, banks always remind us that they will never ask us for a password on the phone. However, they must ask for some kind of weak authentication because they don't know who answers the phone and people are so paranoid about privacy now, they would not tolerate a bank telling another member of the household about their bounced checks. That weak authentication could be a birth date or something. I presume that when the recipient isn't willing to let that information out, they offer the alternative of the recipient looking up the bank's customer service number and calling back.

Many of us are not scared enough to bother; we just give them the information. The actual risk to you from someone knowing your birth date or bank account number is much less than the media hype indicates.

I blame the banks.

Posted Dec 20, 2008 5:32 UTC (Sat) by mgb (guest, #3226) [Link]

I cancelled my Earthlink account recently because there was no way to call back to Earthlink's "finance department" in India. I'm not going to give someone a new credit card number just because he claims he's with Earthlink. Very dumb move by Earthlink.

I blame the banks.

Posted Dec 20, 2008 11:01 UTC (Sat) by rwmj (subscriber, #5474) [Link]

I can confirm dwmw2's account - my UK bank called me up recently, with blocked caller ID, and then demanded security details. I told them where to go of course, but I later got a secure message through their authenticated web service which confirmed it was in fact them.

Ironically, perhaps, the call was about that other ludicrous UK bank invention - "Verified for Visa". (a.k.a "we verified that you will take the blame, not Visa"). The one where you get taken to an iframe on a 3rd party site which asks for your security details. My inquiry which prompted the call was to ask when they might actually implement something secure, such as credit card device that generates one-time keys.

Rich.

I blame the banks.

Posted Dec 20, 2008 11:17 UTC (Sat) by dwmw2 (subscriber, #2063) [Link]

"My inquiry which prompted the call was to ask when they might actually implement something secure, such as credit card device that generates one-time keys."

So, not a conversation for which they actually needed to authenticate you at all. Thus, they were demonstrating an even more fundamental lack of clue about security than we originally thought...

I blame the banks.

Posted Dec 20, 2008 11:23 UTC (Sat) by rwmj (subscriber, #5474) [Link]

I hadn't thought about that actually, but yeah, they're even more stupid than we thought :-)