SIP Password Hacking
Posted: Thu Jun 12, 2014 3:28 pm
Hi all,
I have a client with a 6x on 7.4.13.5 firmware. Their system had previously been on a WAN IP and they were subject to the 'extension' hack that occurred about a year ago. We upgraded their firmware and put it behind a SonicWALL.
Now we're having a different type of hack occur, which may or may not be related to the 6x.
Specifically, they have 2 ITSP accounts registered to the 6x, and both of these accounts were hacked in the last 2 weeks by an external SIP client connecting directly with the ITSP. Somehow they got the SIP password for the ITSP on these 2 separate accounts.
I have many clients on the same ITSP, and this is the only one that has been hacked in this way.
This leads me to believe that the client may have a local system on their LAN with a trojan of some sort that is sniffing their network. But even then, my belief is the SIP registration password between the 6x and the ITSP would not get broadcast on the local LAN, and as well, it would (should) be encrypted.
In any case, I'm looking for anyone who can speculate how the hacker managed to figure out the SIP password.
Is it possible for someone with the Allworx admin password to be able to see the SIP password? It is masked in the admin interface, so I think the answer is 'no'.
My assumption is any hack attempt must be from internal, as the admin interface is restricted through an ACL on the WAN, but the answer has not yet struck me.
Any thoughts?
I have a client with a 6x on 7.4.13.5 firmware. Their system had previously been on a WAN IP and they were subject to the 'extension' hack that occurred about a year ago. We upgraded their firmware and put it behind a SonicWALL.
Now we're having a different type of hack occur, which may or may not be related to the 6x.
Specifically, they have 2 ITSP accounts registered to the 6x, and both of these accounts were hacked in the last 2 weeks by an external SIP client connecting directly with the ITSP. Somehow they got the SIP password for the ITSP on these 2 separate accounts.
I have many clients on the same ITSP, and this is the only one that has been hacked in this way.
This leads me to believe that the client may have a local system on their LAN with a trojan of some sort that is sniffing their network. But even then, my belief is the SIP registration password between the 6x and the ITSP would not get broadcast on the local LAN, and as well, it would (should) be encrypted.
In any case, I'm looking for anyone who can speculate how the hacker managed to figure out the SIP password.
Is it possible for someone with the Allworx admin password to be able to see the SIP password? It is masked in the admin interface, so I think the answer is 'no'.
My assumption is any hack attempt must be from internal, as the admin interface is restricted through an ACL on the WAN, but the answer has not yet struck me.
Any thoughts?