Hacked

[Thermus]

I have a customer with an IPECs 50B with 5.0Gs software and 3 ISDN BRA trunks.

Last weekend the customer got hacked and some lucky people got to make lots of calls to Cuba via their PABX.

This is embarrassing enough but I still cannot break out of the PABX auto attendant or voicemail using any codes at all.

The PABX was on night service, directed to an AA with CCR to leave a MSG or go to another CCR table to dial speed dials of certain people.

All CCR digits were programmed with destinations.

PGM 166 has all COS set to 07

PGM 227 auth codes had default pswd "*"

Unfortunately SMDR was not being recorded

Can anyone out there tell me how hack an ipecs because I need to stop this.

Have since changed PGM 227 auth code COS Night and Timed to 07.

 

[lmcc53]

Disa account code should be off.Its on by default.

PGM 140-142 CO/IP Attributes.

 

[Thermus]

Even with this feature on I cannot break out of the PABX.

Cannot dial individual CO or CO Group access codes.

Have had an IR raised with LG in Korea.

This is the first IPECs I've had this happen to.

 

[doktor]

I guess that you should enable SMDR to see what happens at this customer.
Also the Telecomm provider could be helpfull in these cases.
With our telecom provider here in Denmark, the lines are supervised per default, and closed if too many calls in/out of the system takes place - and the destination of these calls are International calls.

///doktor

http://www.kandu.dk/spg153996.aspx

 

[doktor]

Did you check that the DISA code was off?
Maybe change the programming password to another at this customer - for ALL levels.
If the iPECS unit is accessable from the Internet for programming - turn this obtion OFF for a period.
There is also a trunk-to-trunk setting that must be turned OFF.

///doktor

http://www.kandu.dk/spg153996.aspx

 

[doktor]

Please post the exact s/w level - i.e. all what is written in the display of an IP or systems phone: "IPECs 50B with 5.0Gs".
Like LGE XXXXXX AUG/09.

///doktor

http://www.kandu.dk/spg153996.aspx

 

[Thermus]

Thanks for replies, been busy.

SMDR on and emailing me.
CO DISA Acct is OFF though I still could not dial out with it on.

Passwords all changed.
Waiting to hear from Korea to see what was wrong.

Interesting our telco provided billing advice and all calls originated from the pilot number( which seemed reasonable) and one individual DDI which is odd.

I am still attempting to dial out from that one users DDI and generate a call.

 

[PuffinBilly]

Hi Thermos

Worked on this tonight and have the method detected.
Your problem is (PGM 227 auth codes had default pswd)

Once calls get to vmail if password is at default you are compromised.
It is a multiple stage process with some extra work to cover tracks after calls have been made.
I will give details to Aria in the morning.
Just change password at this stage and for extra security set COS to restrict international calls in Night Service.

 

[Thermus]

Thanks PuffinBilly

It would be interesting to know the process as I cannot access any outside lines thru voicemail or DISA using a valid auth code.

I have heard of access using phonetage though it seems unlikely as port forwarding seems to be required and my customer has nothing external pointing to the PABX.

Hope to learn more soon. It is rather difficult to prevent hacking if I don't know how it gets done.

 

[PuffinBilly]

Hi Thermos

Would be a mistake to give details in this forum so will not go into it.
I have notified Aria & they will have to address this somehow & sometime.
Best I can advise securitywise is use a different password for voicemail on each system. ie get customer to supply a local default.

 

[PuffinBilly]

Hi Thermos

What I can tell you is DISA is not required to be on.
Just eliminate default password from ALL users (even those not using voicemail)& the calls will stop.
Be warned though that youir cuban freinds have had a taste of the free calls & will try again so avoid the obvious passwords like 1234 or 1111,9999 etc

 

[doktor]

Try with 7764. It was the "old" default code.

///doktor

http://www.kandu.dk/spg153996.aspx

 

[IPOfficeIreland]

we are also a voip provider and have had 2 LG systems comprimised over the past 2 weeks. both use sip trunks. by default ipecs has in PGM210 IP AUTH USAGE:OFF and in PGM133 Invite Acceptance: From All.

Change 210 to ON, and 133 to Domain Only. The bug in 5.5 is that you can't have a domain name,e.g. sip.provider.com but rather the IP address as the DNS resolve fails in this field, otherwise calls will not be accepted.

The culprits in this instance sent phony 401 Not Authorised messages to the LG which we suspect returned with authorisation encrypted replies. sip md5 encryption has a flaw in it which is hackable. using these details they were able to register to our servers and make calls using customers accounts.

 

[Thermus]

Thanks Guys

Been busy removing all auth codes from all IPECs we have out there.

All SIP invites set to domain only.

This needs to come out as default on software releases from LG

Hoping for the best.

And thanks Doktor for the 7764. I was removing an old GSX 148 and forgot the code to check some programming. Hopefully the last time i will ever need that.

 

[doktor]

This needs to come out as default on software releases from LG"..
Just ask them, and they will make these settings default.
With many default settings (almost) no mistakes are made and easier and faster installation time will be the result.

///doktor

http://www.kandu.dk/spg153996.aspx

 

[Thermus]

Have now received the method by which the IPECs was hacked.

Very clever. And removing all passwords stops this completely

Thanks for the posts

 

[odyjohnf]

Thermus,

We have just had exactly the same problem on a client with the same model system. Can you please give me any more details on the process they have used to compromise the voicemail? I have recorded SMDR from the system while this was happening and it's clear that the VM is activated after about 30s ring. Within a minute or so the outbound fraudulent call is initiated from the same extension.

We would really like to know how they have broken out from the VM, or at least how we can prevent it. The system in question has an ISDN30 trunk.

Hope you can help.

Thanks

john

 

[PuffinBilly]

Hi Odyjohnf

Once again guys. If your password is at default of "*" for any extension. Even if that extension does not use voicemail your IPECS can be hacked & calls can be made to unwanted destinations.
Make sure all passwords in PGM227 are not at default and not 1234 or 111 or post code or anything else obvious.
***** It is important to be aware that if any phones have a password at default even if they are not forwarded to voice mail that they are at risk**** Make the password secure and the calls will stop.
Hacked systems can easily build up calls of $15'000 to $20'000 over a weekend. It is not worth the risk.

 

[Thermus]

Hi Odyjohnf

As Puffin has stated you need to remove or set a stronger Auth code in pgm 227.
They break out of the system by guessing the Vmail pin or using default "*".

You could also toll bar all international calls on night service.

 

[doktor]

We did this: toll bar all international calls on night service.
Better now!


///doktor