BT Home Hub SIP backdoor blunder blamed for VoIP fraud
You say 'block all connections', I say 'my port's still open'
Flaws in a BT Home Hub set-up are being blamed for helping facilitate a VoIP scam.
El Reg reader Keith Harbridge, an independent IT consultant, said his client, a firm of solicitors, is just one of number of companies stung by the scam, which occurred in early March.
Independent security consultants at Pen Test Partners confirmed a security issue in BT's Home Hub setup, but argued the telco's kit (which is not really designed for small businesses) was only partially to blame.
This type of fraud involves crooks hacking into a VoIP system before selling on the illicit access they've obtained.
BT finally responded to repeated requests for comment on the non-blocking of hacker traffic which lies at the heart of the problem, and supplied the following statement to El Reg on Wednesday morning:
BT has investigated similar issues and concluded that there is no fault with the way BT’s Consumer Home Hubs operate to allow VoIP calls over the internet.
It’s inappropriate to connect an IP PBX to the internet without taking additional steps to secure it.
If a customer does choose to set up their own IP PBX they must ensure that it is configured securely so they do not leave themselves exposed to potentially fraudulent behaviour.
The vast majority of BT customers would never use an IP PBX in this way, so there is very little risk that other customers would experience the same issue.
This issue has been a topic of complaints on its forums before, as well as coverage in this esteemed journal.
Harbridge was brought into the issue after his client asked him to investigate a reported intrusion into its IP PBX. "The company had reported to me that overnight its phone providers (BT and Voipfone) had called them to report an unusual call pattern to several European countries and had suspended services on their line," he explained.
It quickly emerged that the IP PBX had been set up on the same subnet as the computer network, ostensibly so the IP PBX could set up an IP trunk to Voipfone. Harbridge declined to name the communications firm who set up the system, an entity that he doesn't blame for the resulting mess.
"It did what it was told to do and while it’s a dubious design decision not to keep the phones and the computer network on separate subnets, I can see why he or she did it, given the requirements from the client," Harbridge told El Reg.
"Ultimately, it made sure that the BT Home Hub security settings were set as high as they could be, and the firewall was turned on and set to block external connections. All SIP [Session Initiation Protocol] accounts had 256-bit passwords, and I am sure he/she was under the impression that the firewall on the Home Hub would stop all forms of outside access, and wasn’t to know that there was a built-in weakness," he said.