Re: Help! SPA8000's getting hacked

dale.greenwood · ‎02-13-2013

Hello,
We are running a small ITSP and have around 2 dozen SPA8000 gateways in production at various customer locations. They are used to provide telephone lines to analog based PBX systems. Over the last month or so, we are getting a ton of malicious hackers somehow registering their eyebeam softphones to the SPA8000 gateway and are attempting to make international calls through the device. The calls always originate from the gateways which rules out the fact that they are being hacked into and stealing the SIP credentials. I have attempted to register my own eyebeam softphone to one of our test SPA8000s and can only manage to ring the system attached and not physically dial out the SIP trunk. We are running the latest firmware available 6.1.11 and this is a widespread issue not limited to one device. Going through the settings in the manual, the only option that seems relevant is "Restrict Source IP" which is set to YES in every Line tab and Trunk tab. We are really stuggling with this issue and hope someone out there can help shed some light on how to prevent this from happening. Thanks in advance, Dale

Daniele Giordano · ‎02-13-2013

My personal suggestion is this:

- protect your devices against malicious access using firewall

- use strong passwords

- enable Restrict Source IP option

- change standard 5060 SIP port using voice menu - line menu - sip settings - sip port option

- disable unused lines

You can also analyze SIP activities enabling log.

Regards.

Patrick Born · ‎02-13-2013

Hi Dale,

If you've enabled "Restrict Source IP" then the device will not communicate with devices other than the proxy.

Could someone be logging in using the web access, changing the config, making calls, changing the config back again, and logging off of the web-UI?

Could it be that the outbound calls are being made by trusted internal folk?

Consider disabling web access to the SPA8000.

Consider changing the device passwords and not sharing with anyone to foil internal "trusted" folk

Consider installing a packet capture device on a subnet and leaving it running for a period of time in an attempt to capture an illicit phone call and then analyzing the entire flow for clues.

Regards,

Patrick---

Grigoriy Puzankin · ‎07-22-2013

I can confirm that SPA8000 was hacked (v6 and trunk usage only). It allows to call IP-IP showing private IP's in SDP, which don't belong to it's internal network. Even session name shows the original SIP UA name instead of "-" (dash).

There's nothing related to web-access. 12-letters non-dictionary passwords could not be hacked on several SPA's in one night at once.

"Restrict Source IP" does not make it more secure. It restricts only the networks, where Linksys can connect to. It is used by providers to lock devices to their networks.

I found another evidence. See the logs in the last post at http://www.cyberforum.ru/telephony/thread736388.html.

ADDENDUM:

I attached tcpdump with SIP dialog for hacked and regular calls. Once again, there was no password disclosure (web-access and SIP account) and no IP hijacking. The calls were made through Linksys SPA8000.

ADDENDUM 2:

SPA9000 was also hacked in the same way this morning.

Daniele Giordano · ‎07-22-2013

My suggestion is open a case to STAC.

Regards.

Grigoriy Puzankin · ‎07-22-2013

Never did it before. What is STAC? Where and how?

Patrick Born · ‎07-22-2013

Hi Grigoriy,

This page should help you open a case:

https://supportforums.cisco.com/community/netpro/small-business/sbcountrysupport

Regards,

Patrick---

Grigoriy Puzankin · ‎07-22-2013

Thanks for the tips. But this page in not appropriate. It provides three cases to contact support:

- warranty (1 year)

- service (paid)

- partners

I want to say: "Hey, guys. Your marvelous SPA's got hacked. It's like a world-scope SOS. Otherwise your ATA's become as usual as others.".

I think trouble ticket is wrong way - I don't have nighter warranty, nor paid service. I'm not a partner of Cisco. I'm one of those Cisco makes money on.

Patrick Born · ‎07-23-2013

Hi Grigoriy,

Thanks for checking out the support route. Please contact me at paborn@cisco.com so I can get more specific information about the deployment and related issues.

We at Cisco are very interested in understanding and correcting the issues you describe.

Regards,

Patrick---

Patrick Born · ‎07-23-2013

Community update: I'm working with Grigoriy and have opened CDETS# CSCui25004 to track this issue.

Patrick---

jpsaintanns · ‎08-16-2013

Patrick - what is the status of this bug/security issue? We had an SPA8000 comprimised several days ago and are trying to determine if this unit can be sufficiently secured. I cannot access the CDETS case you reference above for lack of access rights when logged in.

If you would like logs for our unit, please let me know and I can provide them.

hallw · ‎09-23-2013

My company has had similar problems over the last several months.

ATA's getting reprogrammed have included SPA8000 and SPA112.

We are currently considering deploying routers/firewalls to our customers to preclude this ...