URGENT // Voice PSTN call vulnerability/hack E1

Unanswered Question
Sep 7th, 2010


one of our customer was hacked on his voice interfact 1 year ago. Environment is a CM6.1 and a 3K router with E1 interface as gateway.

The hacker did use a leak with unassigned called number. The customer had some destination number (he did not give us a complete list of all called DID number). So when the acking compagny did call those number he could send #0000 just behind the called number and he get an outgoing call free of charge. As this compagny did use them for long distance call, the customer was charged with more the 30K$ in 4 days (was on a E1 on all channel during a weekend + some day).

To avoid this, we did configure a default translation where all non tanslated number has as destination (the centrale office phone). So even if there is an wrong incomming number, he will arrive on a phone and do not receive an outgoing line.

No log entries in CM, the call did never ritch the CM, he did the turn directly in his router. It was the provider who calles to indicate a very large volume and cost on this line.

Now, in August, the same customer has outgoing calls during 1 week that he never could do. The calls are in the middle of the night where nobody is on site. The amount in 5 day is only 600$ but a leak must be there to do this. Nothing says that one day a explosion of those calls will not happen. The provider has verified the outgoing logs on his systems and the call are realy comming from this E1 interface (no error just on billing but real call). He do not have any incomming stats and in the CM has no log entry about thos calls (like before, it must be probably a turn-way in the router). The router where rebooted a few days before we did receive the probleme from customer as we did add a new interface in the router. Anyway, as the trouble was 2 week earlier, the logs would not stay in the log... Destination where middle-east, US and this customer never call this destination (thats why hi did see it).

Any idea or experience with such a probleme?

Any idea about how they can do this?

Any idea who to prevent any turn in to the router?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Christopher Graham Tue, 09/07/2010 - 15:40

Is there an incoming POTS dial peer for the PRI (with 'incoming called-number .') that has 'direct-inward-dial'?

Without this command, and inbound call to a non-allocated number would provided dial-tone to the caller, and allow them to place a secondary call.  With direct-inward-dial, this will not occur.  You must make sure that EVERY inbound call matches a pots dial peer with this command.

danjor Wed, 09/08/2010 - 02:36

We do use:

dial-peer voice 10 pots
tone ringback alert-no-PI
description 9Office E1, use for incoming/outgouing calls
translation-profile incoming incoming-profile
translation-profile outgoing outgoing-profile
preference 1
destination-pattern 0T
incoming called-number .
fax rate disable
port 0/0/0:15

And in the translation profile we do have the translation rules who match any expected number from this E1

voice translation-profile incoming-profile
translate calling 4      
translate called 1

To change the incomming number for the call back from phone we do have to add the missing 0

voice translation-rule 4
rule 1 /^0/ /00/
rule 2 /^/ /00/

To be sure to catch also the unexpected we did add after the hack suspection las week a translation rule 15 for the  incomming:

As the provider send us the number on 4 or on 10 digits, we do translate the strarts from 4 digit display to thos who match the sestination prefix.

For exemple in rule 2 an incomming 7654 is translate in 2454 as we did organise the sites to hold if possible ther ending 2 digits corresponding to the PSTN ending digits (too  big translation rules to manage other way because a lot of ranges historicaly from the different site)

voice translation-rule 1
rule 1 /^0nnnnnnnnn/ /5550/
rule 2 /^nn\(..\)/ /24\1/
rule 3

rule 4
rule 5
rule 6
rule 7
rule 8
rule 9
rule 10
rule 11
rule 12
rule 13
rule 14
rule 15 // /2487/      to send the unexpected number to the phone from a technician responsible for the voice


This Discussion