Voip Phreak

Cool sh!t about Asterisk, VOIP, XMPP 'n stuff

Digium call for help in response to IC3/FBI Asterisk Security Issue announced last Friday

| 1 Comment

In a story earlier today we posted about the FBI announcement regarding pwning asterisk systems. Digium has posted a response to this on the Asterisk Mailing Lists asking the community for help in response to the FBI’s warning and other various news outlets misrepresenting the issue or not fully informing their audience. Here’s the message posted by Digium;

On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their website that contained a fairly vaguely worded warning about Asterisk systems being compromised and then being used as “vishing” (voice

phishing) platforms. They were non-specific on the threat other than to advocate upgrading to “newer versions” of Asterisk. This announcement was done on Friday late afternoon, just as everyone was leaving for the weekend, which left us leaving frantic messages with various IC3 voicemail system deadends and emails to generic-sounding accounts.

The delay in any authoritative information from IC3 quickly created a guessing game in the blogger and press community as to what was

exactly the vulnerability and what were the details of this threat.

The speculation here at Digium was that this was just a re-statement of an older bug from earlier this year, or it could have been entirely unrelated to Asterisk and just been a case of mis-diagnosis of poor password control.

It turns out that we were correct on our first guess: this is not a new problem, and furthermore is a difficult vulnerability to exploit even on those systems that are unpatched – it would require fairly purposeful configuration to expose the system to a “vishing” abuse method, so it is probably the case that this was a very isolated event. We spoke with IC3 agents earlier today, and they have updated the alert to contain the correct warning (AST-2008-003) which was their original intent.

There is a more complete description of the incident on the Digium blog site:

http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

Other links:

AST-2008-003 – http://www.asterisk.org/node/48466

Revised IC3 announcement – http://www.ic3.gov/media/2008/081205-2.aspx

WHAT YOU CAN DO:

Unfortunately, the news of security risks spreads faster than the news of a non-issue – secure systems aren’t “stories” so I expect it will be an uphill effort to update all the sites which copied or re- blogged the IC3 story initially. We would very much like to enlist the community to have you try to post where you can the link to the Digium blog above – it would help keep misperceptions from becoming part of the permanent data landscape as things get slowly archived into Google-able snippets. Post in the “Comments” sections of any blogs you see linking to this story, or put your own $.02 in as you see fit. We’d like to keep good relations with the IC3 and FBI, and we understand how this kind of mistake can happen (even though we’re uncomfortable with the results) so please set your flamethrowers on “warm” instead of “scorch” if you choose to weigh in on the topic yourself.

If anyone has questions regarding this issue, please feel free to contact me via email or phone to discuss.

JT

John Todd

jtodd@digium.com +1-256-428-6083

Asterisk Open Source Community Director

Author: Voip Phreak

Matt is VOIP phreak!. Matt took an early adoption to telephony as a young BBS user, using pbx's and other fun toys that he could get his hands on to progress eventually into a love of internet telephony. These are his thoughts, views, and little articles about mostly nothing, but something.

One Comment

  1. ФБР бросает тень на Asterisk – пояснения опубликованы на http://asteriskpbx.ru/blog/fbi-fake-advisory
    (comments on the issue for russian speaking community)

Leave a Reply

Required fields are marked *.