BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Bit of a SIP-up

Harbridge credits the VoIP service for acting responsibly. "Voipfone is pretty blameless ... it noted the odd call pattern and terminated access as soon as possible," he explained.

It has also not charged for the calls that were made (only one call was made via its network; the rest were via BT and the PSTN), added Keith. It didn’t supply any equipment or have any part in the customers equipment other than providing a SIP trunk, and the account was not hacked, he added.

The IP PBX is a hardware device that is also connected to the BT PSTN, as well as having a SIP trunk.

Harbridge remains adamant that BT is primarily to blame:

The villain in this story is BT. It supplied a Home Hub router to a business (something, by BT’s own admission, that should not have happened as the firm should have been given a Business Hub) which has a deliberate built-in weakness in the firewall that is not documented in any way.

No matter what security settings you choose in the hub, port 5060 will always remain open to enable its own VoIP service. Customers are not told of this glaring little hole that is in there by design.

We understand Harbridge's client (a firm of solicitors who wish to remain anonymous) will be complaining to BT as "it was BT’s equipment that allowed the attacker in, and it takes extreme exception to BT telling it that it is still responsible for the call charges as it is not responsible for incidents that occur on customers own equipment," as Harbridge put it.

"I believe the issue is also present in BT Home Hubs going back as far as version 3," he added. A thread on a BT forum going back to 2013 confirms complaints about a failure to block VoIP (SIP) traffic by BT Home Hub version 3.

Security consultant Chris Pritchard at Pen Test Partners was able to recreate the issue using a FreePBX live server distribution and a BT Home Hub 5A, the latest version.

In a test he was able to trigger the UPnP on the Home Hub to open the SIP ports: "Even though my Home Hub firewall settings are at default (allow all outgoing connections and block all unsolicited incoming traffic) and I have not put the server in the DMZ nor forwarded any ports, those ports are now open externally and anyone port scanning my SIP ports will see [the device]."

Ken Munro, a partner at Pen Test Partners, commented: "The primary issue is with the Asterix-based PBX. It is effectively overriding the Home Hub security configuration."

"However, the Home Hub should not permit this. Clearly usability has got the better of security in the Home Hub configuration."

Munro added: "The Home Hub is not really corporate grade kit – there is a lack of in-depth configuration. I wouldn’t advise using one outside the home environment."

"This really serves to underline why domestic-grade kit should not be used in business environments. Universal Plug and Play is great for helping non-tech users get their kit working, but there can be a heavy price to pay with security," he said.

"The service is probably enabled for ease of use – making it easy for less technical home users to sign up for SIP services. It makes connecting to devices easier, though not in a particularly secure manner," he added.

However, Harbridge disagreed with Munro's assessment that the Asterisk PBX was the primary issue. "UPnP was turned off and the Asterisk configuration was set up not to use it," he explained.

The issue of VoIP fraud is not restricted to small business network, and Munro warned that "lots of home users are starting to run SIP, so could explode as a source of toll fraud". ®