Cisco/Linksys ATA Exploit?

By | November 12, 2013

So I’ve encountered a strange exploit being attempted against the VoIP system I maintain.  Its not actually against the softswitch, though, but rather against the end customer’s ATA.  We first saw this particular exploit three or four months ago, and its a rather strange, but at the same time rather ingenious in its effectiveness.

By not targeting the softswitch itself (which is heavily fortified), these hackers are able to make international calls almost unnoticed.  Well, they were for the first few days until we put in another block.  We still see these attacks coming in, even though they will no longer work on our system, so I know its not just our customers that are being singled out.

Its puzzling to me, though that I can’t find anyone talking about this exploit.  I’m still not certain how they’re doing it, but I have a few theories.

The basic exploit works like this:

  1. The attacker finds a Cisco/Linksys ATA on the internet
  2. They somehow manage to determine what username or phone number the device is authenticating with
  3. They configure the ATA to forward calls to an international number
  4. They call the phone number determined in step 2 via the PSTN (not hitting our softswitch directly)
  5. The softswitch calls the ATA and it sends back a redirect to the softswitch to the international number
  6. The international number is a destination where they can make calls local to the PBX/softswitch serving it (also exploited, I’m sure)
  7. Once this path is setup, I’m guessing its published somewhere on some type of real-time notification system because calls start coming in rapidly after that.

We’ve seen an attempt on another type of ATA, but it was unsuccessful.  We’ve also called the international number (there have been several different numbers attempted), which is how we know its routing calls out again from the destination.

We’ve seen it on ATA’s that do not have a publicly running web interface, so I’m guessing that its done with SIP messages directly to the ATA.  We’ve been attempting to work with Cisco on this, but we’re not a large enough customer to get on their radar just yet.

These aren’t random targets, either.  They know the PSTN phone number, so I’m pretty sure they’re getting it from the ATA after a scan.  The exploit also doesn’t look fully automated, either.  There are time delays between attempts and different phone numbers used between attempts that suggest there is a manual component to this, which is also probably why its not more widespread.

I decided I would publish this here in case anyone had seen something similar and wanted to share their experiences with it.  It will at least provide a landing page for people who are Googling for this like I have been.

3 thoughts on “Cisco/Linksys ATA Exploit?

  1. Matt

    Hi Marc

    I see this was a while ago now, but did you actually get anywhere with it? I’ve seen it twice in the past week. As far as I’m aware neither ATAs were accessible from the internet, only via either voice or SIP.

    Thanks!

    Reply
  2. Matt

    Actually … the last one I saw the call was coming in via a DID provider, so I don’t think it was even done by SIP. I’ve a feeling it’s DTMF codes being sent to do this. Love to know exactly how though obviously!

    Reply
  3. Marc Post author

    We did finally get somewhere with this. Occam’s Razor applies.

    It seems that the newer ATA’s have a third username/password combination that gives different access rights than admin or user accounts. The third account is a “cisco” account, which allows the user to view and change certain ATA settings, including forwarding of lines.

    Simple fix was to change the password on that account. Long term fix is to move the ATA’s behind firewalls in addition to changing the account information, of course that can cause other NAT issues…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *