BT Home Hub SIP backdoor blunder blamed for VoIP fraud

[Reefa]

You say 'block all connections', I say 'my port's still open'

Flaws in a BT Home Hub set-up are being blamed for helping facilitate a VoIP scam.

El Reg reader Keith Harbridge, an independent IT consultant, said his client, a firm of solicitors, is just one of number of companies stung by the scam, which occurred in early March.

Independent security consultants at Pen Test Partners confirmed a security issue in BT's Home Hub setup, but argued the telco's kit (which is not really designed for small businesses) was only partially to blame.

This type of fraud involves crooks hacking into a VoIP system before selling on the illicit access they've obtained.

BT finally responded to repeated requests for comment on the non-blocking of hacker traffic which lies at the heart of the problem, and supplied the following statement to El Reg on Wednesday morning:

BT has investigated similar issues and concluded that there is no fault with the way BT’s Consumer Home Hubs operate to allow VoIP calls over the internet.

It’s inappropriate to connect an IP PBX to the internet without taking additional steps to secure it.

If a customer does choose to set up their own IP PBX they must ensure that it is configured securely so they do not leave themselves exposed to potentially fraudulent behaviour.

The vast majority of BT customers would never use an IP PBX in this way, so there is very little risk that other customers would experience the same issue.

This issue has been a topic of complaints on its forums before, as well as coverage in this esteemed journal.

Harbridge was brought into the issue after his client asked him to investigate a reported intrusion into its IP PBX. "The company had reported to me that overnight its phone providers (BT and Voipfone) had called them to report an unusual call pattern to several European countries and had suspended services on their line," he explained.

It quickly emerged that the IP PBX had been set up on the same subnet as the computer network, ostensibly so the IP PBX could set up an IP trunk to Voipfone. Harbridge declined to name the communications firm who set up the system, an entity that he doesn't blame for the resulting mess.

"It did what it was told to do and while it’s a dubious design decision not to keep the phones and the computer network on separate subnets, I can see why he or she did it, given the requirements from the client," Harbridge told El Reg.

"Ultimately, it made sure that the BT Home Hub security settings were set as high as they could be, and the firewall was turned on and set to block external connections. All SIP [session Initiation Protocol] accounts had 256-bit passwords, and I am sure he/she was under the impression that the firewall on the Home Hub would stop all forms of outside access, and wasn’t to know that there was a built-in weakness," he said.

Block and tackle

The router was a BT Home Hub 5A that was set to “Block all incoming connections”, although Harbridge then discovered that the kit did allow any incoming connection on port 5060 (the standard VOIP port).

"No matter how paranoid you make the firewall settings (and there aren’t many options in that respect) in the router, a BT Home Hub 5A will always allow unrestricted access to port 5060," Harbridge explained. "As I understand it, this is 'by design' and is done to make things easier for customers using the BT VoIP service."

"To make matters worse, the Home Hub will even go to the effort of doing the NAT for you until it finds a working SIP device to connect to," he added.

He explained that hackers successfully brute-forced a SIP test account in order to make calls after smuggling attack traffic through the BT Home Hub rig, giving a detailed account as follows:

The fraud originated from the US (Texas and Virginia). Several port scans revealed that port 5060 was open and responsive, despite the Home Hub having its settings set to deny all connections.

UPnP (Universal Plug and Play) was turned off in the settings of the Home Hub, but somehow this didn’t seem to bother the router which forwarded all requests on this port to the FreePBX system powering the phone service.

Quite how the router did this when UPnP was turned off and there were no settings to forward any ports or any DMZ settings is a mystery, but I suspect the router is set up to support a BT VoIP service with minimal fuss, and therefore anything to do with VOIP gets special treatment.

So, having found the FreePBX system [the hackers] began the long process of hammering away at it until a password and SIP account was found. The extensions all had strong 256-bit passwords.

Through the admin control panel of their Yealink desk phones I was able to see the passwords and initially I was thinking 'No way in hell did they break that password'. I mean these things used the full ASCII range of characters not just letters and numbers.

However, the original engineer had clearly missed a testing account that should have been removed after setup and it had a weaker password (though I wouldn’t have called it insecure by any means) and the attackers had managed to crack that.

As soon as they did so, they placed a few international calls. Not a great many, the system's own auditing system caught the calls a few seconds before BT and Sipfone’s automated systems terminated the trunks. The call charges were in the region of about £90.

I believe the client is also awaiting a response from BT regarding information that [appears to show] that the Home Hub just allowed the attackers to walk in, even when due diligence had been applied in making sure the settings were correct in the control panel of the router.

BT's fraud prevention team informed Keith's client that all charges would remain valid since it was not BT’s fault that fraud had occurred on customers' equipment.

Harbridge strongly disagreed. "If a firewall tells me it is blocking all incoming connections, I reasonably expect it to block 'All' incoming connections, not 'All incoming connections with the exception of port 5060 because we need that one open for our own use, thanks'."

The latest issue involves shortcomings in the firewall built into the BT Home Hub device and is unrelated to a hacking vulnerability discovered by GNUCITIZEN back in 2007 or several flaws since (examples here and here).

Bit of a SIP-up

Harbridge credits the VoIP service for acting responsibly. "Voipfone is pretty blameless ... it noted the odd call pattern and terminated access as soon as possible," he explained.

It has also not charged for the calls that were made (only one call was made via its network; the rest were via BT and the PSTN), added Keith. It didn’t supply any equipment or have any part in the customers equipment other than providing a SIP trunk, and the account was not hacked, he added.

The IP PBX is a hardware device that is also connected to the BT PSTN, as well as having a SIP trunk.

Harbridge remains adamant that BT is primarily to blame:

The villain in this story is BT. It supplied a Home Hub router to a business (something, by BT’s own admission, that should not have happened as the firm should have been given a Business Hub) which has a deliberate built-in weakness in the firewall that is not documented in any way.

No matter what security settings you choose in the hub, port 5060 will always remain open to enable its own VoIP service. Customers are not told of this glaring little hole that is in there by design.

We understand Harbridge's client (a firm of solicitors who wish to remain anonymous) will be complaining to BT as "it was BT’s equipment that allowed the attacker in, and it takes extreme exception to BT telling it that it is still responsible for the call charges as it is not responsible for incidents that occur on customers own equipment," as Harbridge put it.

"I believe the issue is also present in BT Home Hubs going back as far as version 3," he added. A thread on a BT forum going back to 2013 confirms complaints about a failure to block VoIP (SIP) traffic by BT Home Hub version 3.

Security consultant Chris Pritchard at Pen Test Partners was able to recreate the issue using a FreePBX live server distribution and a BT Home Hub 5A, the latest version.

In a test he was able to trigger the UPnP on the Home Hub to open the SIP ports: "Even though my Home Hub firewall settings are at default (allow all outgoing connections and block all unsolicited incoming traffic) and I have not put the server in the DMZ nor forwarded any ports, those ports are now open externally and anyone port scanning my SIP ports will see [the device]."

Ken Munro, a partner at Pen Test Partners, commented: "The primary issue is with the Asterix-based PBX. It is effectively overriding the Home Hub security configuration."

"However, the Home Hub should not permit this. Clearly usability has got the better of security in the Home Hub configuration."

Munro added: "The Home Hub is not really corporate grade kit – there is a lack of in-depth configuration. I wouldn’t advise using one outside the home environment."

"This really serves to underline why domestic-grade kit should not be used in business environments. Universal Plug and Play is great for helping non-tech users get their kit working, but there can be a heavy price to pay with security," he said.

"The service is probably enabled for ease of use – making it easy for less technical home users to sign up for SIP services. It makes connecting to devices easier, though not in a particularly secure manner," he added.

However, Harbridge disagreed with Munro's assessment that the Asterisk PBX was the primary issue. "UPnP was turned off and the Asterisk configuration was set up not to use it," he explained.

The issue of VoIP fraud is not restricted to small business network, and Munro warned that "lots of home users are starting to run SIP, so could explode as a source of toll fraud".

http://www.theregister.co.uk/2015/03/25/bt_home_hub_fraud_sip_voip_calls/?page=1