SIP Users Get a Heads Up Call from Uncle Sam

Early in December, John Todd wrote on the Asterisk blog for Digium about a warning letter they received from the Internet Crime Complaint Commission, a sort of subdivision of the FBI that investigates complaints about, you guessed it, Internet crime, and refers actionable complaints to the appropriate law enforcement agencies.

Todd described the letter as vague, though ostensibly related to concerns the IC3 had about vishing (telephone identity fraud) and Asterisk. Digium officials’ initial belief (confirmed subsequently by IC3) was the inquiry could be related to a bug discovered in March of 2008 that allowed, in Todd’s words,

“in some cases unauthorized callers to make calls through an unprotected “context” in Asterisk. Due to the nature of the bug there was fairly limited exposure – it would have required a fairly unusual set of configurations to permit fraud, and there was both a simple config file change that would provide protection, as well as an actual patch to the code which we have every reason to believe has been widely implemented by the very proactive Open-Source community using Asterisk in production environments.”

Todd also noted fraudulent, malicious, or “vishing” calls through SIP systems in general have recently increased due to poor security behaviors and password control. He pointed out the rise isn’t symptomatic of any problem with Asterisk – it’s equivalent to people setting their email password to be the same as their username, or some other easily-guessed string. For more on this issue, and our conversation with Todd, follow after the jump.

We spoke with Todd and asked if the situation portends heightened attention from DHS and FBI down the road for the Asterisk community, despite the IC3’s eventual acknowledgment that the “warning letter” was actually a re-iteration of a known issue. He told us,

“As Asterisk becomes more widely integrated with various businesses and agencies, it becomes naturally a larger potential for being used for bad purposes, either by intention (bad guys using * as a dialer themselves) or by mistake (bad guys breaking into systems which are running Asterisk, and using them as relays for bad things.) Thus, we expect to hear more from the TLA’s (Three Letter Agencies) over time simply due to Asterisk being installed in more places.”

As far as all of this relates to the SIP security issue that prompted the discussion, a little bit of planning goes a long way toward preventing potential problems.

Like your mother said, “Use good passwords, keep your packet filters up.”