TR-18 - PBX and VoIP Security - Recommendations

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

Private Branch Exchange (PBX), Voice over IP (VoIP) servers and clients are nowadays core communication components within small and large organizations. A PBX is a complete information systems integrating communication facilities including access to public switched/routed networks.

The security of PBX and VoIP elements is a key element to limit abuse and especially the theft of services. In the past years, PBX attacks are quite regular due to lack of security. The attacks especially allow the attackers to make toll fraud. The victims are directly impacted in their phone bills from such fraud. The losses regarding such vulnerabilities are not to be underestimated and can represent an important threat to the financial operation of an organisation.

The toll fraud is indeed the most common attack but many others attacks and abuses can be performed from unsecured PBX and VoIP elements. This technical report is a summary of the best practices to secure PBX and VoIP elements.

Recommendations

Control Management Interfaces

PBX and VoIP elements have different management interfaces. We recommend to use an out-of-band management interface to manage the PBX and VoIP elements. If an out-of-band management cannot be used, we recommend to use a dedicated encrypted in-band management interface with a strong packet filtering policy to limit management access to the known and trusted networks.

PBX and VoIP elements often come preconfigured with default passwords, default private and shared keys. We recommend to set strong passwords and regenerate private keys using a safe entropy source during the installation process.

Hardening

PBX and VoIP elements are information systems with integrated network services including network managements protocols like SNMP, SSH, Web Interfaces,… We recommend to disable all the unused services or to block them at packet filtering level if they cannot be disabled.

Logging

All PBX and VoIP elements must log all incoming and outgoing calls into an extensive log format including source IP addresses, source TCP/UDP port (if possible) along with the associated phone numbers. Time, date and timezone of the PBX and VoIP elements must be synchronized to a reference clock.

Boot/Update Process

VoIP and hard phones should use encrypted protocols in order to get firmwares, boot images and configuration. When TLS/SSL is used, certificate must be properly checked (e.g. CName mismatch, expiration date,…) and connection should be dropped if the certificate doesn’t fulfill the requirements.

VoIP equipments have regularly updates including critical security updates. You must ensure that you have a secure way to remotely update your equipments in a timely fashion.

SIP Authentication and Registration

SIP authentication and signalling must be encapsulated into an encrypted and authenticated TLS/SSL session. Standard SIP digest authentication must not be sent in clear-text over the networks. Registration and invitation must also be authenticated in order to avoid session spoofing and hijacking.

Toll Fraud

In order to limit potential toll fraud when a vulnerability is abused in a PBX or a VoIP element, we recommend the following measures:

  • Define a time range when outbound calls can be performed
  • Protect and limit conference rooms to known numbers or/and protect them with a strong/renew PIN code
  • Define international outbound calls to the required countries (if your organization permits this)
  • Set a warning limit with your telecom operators when the bill reaches a threshold
  • Review the call logs (and especially when the calls are performed) at a regular interval

Recent Abuse

AVM FRITZ!Box Case - February 2014

A large scale abuse of CPE equipments from AVM (FRITZ!Box) vulnerable to a remote authentication bypass was disclosed on February 2014. The “Control Management Interface” recommendation described in this document would have limited the impact of this attack.

You must review your AVM FRITZ!Box models and software version used to ensure they are not vulnerable.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.2 February 19, 2014 Updated with the FRITZ!Box models vulnerable + update process for VoIP equipments
  • Version 1.1 February 14, 2014 Updated with the FRITZ!Box abuse case to make calls to value added/premium-rate telephone services
  • Version 1.0 December 16, 2013 Initial version (TLP:WHITE)