Private Branch Exchange (PBX), Voice over IP (VoIP) servers and clients are nowadays core communication components within small and large organizations. A PBX is a complete information systems integrating communication facilities including access to public switched/routed networks.
The security of PBX and VoIP elements is a key element to limit abuse and especially the theft of services. In the past years, PBX attacks are quite regular due to lack of security. The attacks especially allow the attackers to make toll fraud. The victims are directly impacted in their phone bills from such fraud. The losses regarding such vulnerabilities are not to be underestimated and can represent an important threat to the financial operation of an organisation.
The toll fraud is indeed the most common attack but many others attacks and abuses can be performed from unsecured PBX and VoIP elements. This technical report is a summary of the best practices to secure PBX and VoIP elements.
Control Management Interfaces
PBX and VoIP elements have different management interfaces. We recommend to use an out-of-band management interface to manage the PBX and VoIP elements. If an out-of-band management cannot be used, we recommend to use a dedicated encrypted in-band management interface with a strong packet filtering policy to limit management access to the known and trusted networks.
PBX and VoIP elements often come preconfigured with default passwords, default private and shared keys. We recommend to set strong passwords and regenerate private keys using a safe entropy source during the installation process.
PBX and VoIP elements are information systems with integrated network services including network managements protocols like SNMP, SSH, Web Interfaces,… We recommend to disable all the unused services or to block them at packet filtering level if they cannot be disabled.
All PBX and VoIP elements must log all incoming and outgoing calls into an extensive log format including source IP addresses, source TCP/UDP port (if possible) along with the associated phone numbers. Time, date and timezone of the PBX and VoIP elements must be synchronized to a reference clock.
VoIP and hard phones should use encrypted protocols in order to get firmwares, boot images and configuration. When TLS/SSL is used, certificate must be properly checked (e.g. CName mismatch, expiration date,…) and connection should be dropped if the certificate doesn’t fulfill the requirements.
VoIP equipments have regularly updates including critical security updates. You must ensure that you have a secure way to remotely update your equipments in a timely fashion.
SIP Authentication and Registration
SIP authentication and signalling must be encapsulated into an encrypted and authenticated TLS/SSL session. Standard SIP digest authentication must not be sent in clear-text over the networks. Registration and invitation must also be authenticated in order to avoid session spoofing and hijacking.
In order to limit potential toll fraud when a vulnerability is abused in a PBX or a VoIP element, we recommend the following measures:
- Define a time range when outbound calls can be performed
- Protect and limit conference rooms to known numbers or/and protect them with a strong/renew PIN code
- Define international outbound calls to the required countries (if your organization permits this)
- Set a warning limit with your telecom operators when the bill reaches a threshold
- Review the call logs (and especially when the calls are performed) at a regular interval
AVM FRITZ!Box Case - February 2014
A large scale abuse of CPE equipments from AVM (FRITZ!Box) vulnerable to a remote authentication bypass was disclosed on February 2014. The “Control Management Interface” recommendation described in this document would have limited the impact of this attack.
You must review your AVM FRITZ!Box models and software version used to ensure they are not vulnerable.
- NIST SP 800-24, PBX Vulnerability Analysis: Finding Holes In Your PBX Before Someone Else Does
- NIST SP 800-58, Security Considerations for Voice Over IP Systems
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.2 February 19, 2014 Updated with the FRITZ!Box models vulnerable + update process for VoIP equipments
- Version 1.1 February 14, 2014 Updated with the FRITZ!Box abuse case to make calls to value added/premium-rate telephone services
- Version 1.0 December 16, 2013 Initial version (TLP:WHITE)