back to article BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Flaws in a BT Home Hub set-up are being blamed for helping facilitate a VoIP scam. El Reg reader Keith Harbridge, an independent IT consultant, said his client, a firm of solicitors, is just one of number of companies stung by the scam, which occurred in early March. Independent security consultants at Pen Test Partners …

  1. Anonymous Coward
    Anonymous Coward

    If a router firewall doesn't block all connections when it says it does then that's a serious problem. If I buy vegetarian sausages and Peppa Pig is one of the ingredients I'd be a bit pissed, doesn't do what it says it does on the packet.

    1. Anonymous Coward
      Anonymous Coward

      "If a router firewall doesn't block all connections when it says it does then that's a serious problem."

      If you block incoming SIP connections on this port then SIP devices can't receive incoming calls. SIP can't actually work with this port (and 5061) blocked - so I guess in the context of a domestic router it would stay open even if the firewall says incoming connections are blocked. Adding the option to configure this stuff by port then invites users to get it horribly wrong.

      It seems an unlikely use case that someone plops a PBX behind a domestic router and then doesn't protect it with a session border controller.

      1. Bronek Kozicki

        @AC Right, in a way you are right.

        If you buy vegetarian food, then you do not get certain proteins of animal origin as well. However you might have missed the point that some people do buy vegetarian food exactly for the reason that they only want proteins of non-animal origin.

        Similarly, someone might want to disable all incoming traffic exactly for reason of preventing their IP PBX being hacked, and then add an extra rule to open port 5060 to only IP address(es) specified by their own SIP provider. At least that's what I do and I imagine that's common sense. Why would anyone want to open 5060 to everyone I do not quite understand (*), and why would a firewall insist to keep it open despite configured to keep it closed is ... well, that's pretty severe and I do hope that BT receives kicking for this one.

        *) one theory being that one might want to use direct RTP communication with the world, but that's not actually very convenient given exposure to cold calls from everywhere and from all time zones (security aspect aside!)

      2. chris 17 Silver badge

        using the supplied documentation, the administrator selected the settings that indicated all non solicited inbound connections would be dropped. The expectation driven by the available information was that all inbound non solicited comms would be dropped. If it said block all non solicited inbound apart from SIP then everyone would be clear that the sip port was vulnerable and take approprate action.

        So as a home user i now need to pen test access to my (and those i care about) internal network from the internet as i can't trust the config settings on my ISP supplied router.

        1. Probie

          Well watch out for 192.168.99.X

          Yeah, BT are doing regualrly screwy things. I recenty did a local NMAP of my networks and found 192.168.99.X responding, which was strange as I do not use 192.168.99.X.

          Traceroute showed.

          traceroute to 192.168.99.100 (192.168.99.100), 30 hops max, 60 byte packets

          1 my internal router Before the Home Hub (192.168.X.XXX) 4.719 ms 11.084 ms 14.443 ms

          2 BT Home Hub (192.168.0.254) 15.342 ms 15.556 ms 16.438 ms

          3 217.32.146.173 (217.32.146.173) 18.579 ms 18.580 ms 22.018 ms

          4 217.32.146.238 (217.32.146.238) 22.026 ms 23.532 ms *

          5 213.120.156.202 (213.120.156.202) 29.742 ms 29.748 ms 46.668 ms

          6 217.41.168.201 (217.41.168.201) 46.674 ms 5.724 ms 6.427 ms

          7 217.41.168.109 (217.41.168.109) 7.364 ms 7.365 ms 7.913 ms

          8 213.120.183.30 (213.120.183.30) 36.461 ms * *

          Looking up the 213 address shows it is a BT address, and a reasonably port selathed one at that. And there was me thinking 192.168.X.X/16 was all PRIVATE. I could see nothing on the forums about this, so right now all my internal clients null route 192.168.99.X/24, Well all that I can get hold of anyway, the ones where I cannot access the OS rest behind two other firewalls.

          As I have never trusted BT (or any other ISP for that matter) there are multiple firewall/router between the Home Hub and my home network. I should thank BT really for the free security and paranoia couse. Almost enough to make you think they are out to get you.

          I do agree with lost all faith you cannot abbroagte resposibiliyt for your security. The fact that VOIP worked for incoming calls should have raised a warning flag, but I also expect something to do what is reports it is doing.

          1. chris 17 Silver badge

            Re: Well watch out for 192.168.99.X

            no need to hide private IP's on internet forums as they are non routable across the internet

            http://en.wikipedia.org/wiki/Private_network

            its the public addresses you need to worry about as they lead right to your network.

            you are being far too paranoid. just 1 firewall properly configured that doesn't deliberately lie to you is sufficient to keep you safe, most will have a firewall on each computer too.

            if you are this scared at the moment, just wait till ipv6 is rolled out, each machine will have its own publicly addressable ip, whilst right now you only have 1 publicly addressable IP for all your home devices.

            1. Probie

              Re: Well watch out for 192.168.99.X

              The point I was making was that BT ARE routing 192.168.99.X/24 out of my home hub, to the wider BT network, IE the traffic is NOT being dropped as per IANA.

              Also soem FWs have some "helpfull" - AKA stupid default groups users can use like 192.168.0.0/16. Just for the reason you highlighted.

              So whilst I would agree with you on a proper firewall, having BT in the mix means no trusting BT, no way. So I have two, the swiss cheese emental BT home hub and a more fine grained firewall, which is a BSD variant. Yes the BT hub is that untrustowrthy. And beacuse the Home Hub does not allow for any static routes, if I want to have anyting outside of a single flat network and the Home Hub maps to MAC address and NOT IP address (try the home hub and give you laptop two IP addresses see what happens!) I need another NAT function somewhere.

              I do get it though - the Home Hub is aimed at uneducated consumers - it tries to be helpful, but seemingly fails in a epic manner when presented with anything come even close to "desinged".

              IPv6 will remove NAT which frankly makes life easier, i still need a firewall/modem/bridge to pass traffic through, so a firewall riles set will still apply. Although it remains to be seen if NAT will be pushed through on IPv6. Least trust on everything and then modify a rule when the kids scream "the internet is broken".

    2. Jim 59

      If a router firewall doesn't block all connections when it says it does then that's a serious problem

      Agreed. This an issue of BT misrepresenting the behavior of the Hub firewall. They said it blocked all incoming ports, when they knew it didn't. Next case, please.

      Oh and the HH3 is leaves port 161 open too.

      1. Bronek Kozicki

        Oh my ... that's SNMP.

        It would seem that BT consistently prioritises support cost over security of users. That's not very good, but the silver lining here is that, perhaps, a small company of solicitors can convince BT to change its ways.

  2. Anonymous Coward
    FAIL

    A few at fault here

    1. BT for allowing a Deny All to allow traffic through

    2. Who ever sent the order in or processed it (I've never known BT supply a home hub to a business, but it could happen, Or did they fail to declare it was a business because they noticed that a home account is cheaper than a business and go down that route to save a few quid?).

    3. The network installer that thought a BT router was a suitable firewall for a business.

    4. The PBX installer, for not setting up the PBX correctly. How the hell did they commit this basic of frauds on an even remotely locked down system?

    5. The security "expert" trying blame BT only, when this was a cluster fuck and he should be prepared to tell, the network installer, the PBX installer and even maybe the customer. If you don't tell them all the faults, they will just repeat it over and over.

    As for the "locked down" part. If they did lock down 5060, how was the SIP provider going to get SIP call into the system (unless using a custom port) unless this was open. If they are attempting to justify using a basic router to do complex firewall rules, then god help them.

    This just smacks of everyone trying to do everything as cheaply as possible then being surprised when it goes wrong.

    1. This post has been deleted by its author

      1. conscience

        Re: A few at fault here

        Yes, if memory serves it was a sequel to the Three Weeks in Paradise game starring Wally Week and his family... and on the B side of the cassette tape there was a terrible "Everyone's a Wally" theme song too.

        https://www.youtube.com/watch?v=6Q5ZG7zHl3w

        Seems spookily apt here!

    2. Anonymous Coward
      FAIL

      Re: A few at fault here

      Ok for those down voting me, I'd love to know why.

      Just for you of those that don't understand VoIP from Voipfones very own website:

      "You will need to open ports 5004 to 5060 to enable you to connect to our servers and register your phone on our network. "

      This is why I pointing out the glaring obvious fact that 5060 NEEDS to be open, it's like saying shut off port 80 for home uses to protect them from the baddies on the internet.

      Toll fraud is perhaps the most widely known and well documented issue with badly configured PBX's. if you don't harden against that, you should NOT be installing the kit.

      1. This post has been deleted by its author

      2. Bronek Kozicki

        Re: A few at fault here

        Downvote from me, because 5060 only needs to be open to certain IP address(es), owned by your SIP provider (in this case Voipfone). Which would be enough to protect from intrusion.

        You would know it if you have ever setup a VoIP base station, but I suspect you never did.

        1. This post has been deleted by its author

          1. Bronek Kozicki

            Re: A few at fault here

            You pose valid question here, however please note that setting up SIP behind NAT is tricky enough as is, and it is actually valid to assume that if the firewall says that all access from outside is closed, then inbound communication is only allowed as a result of stateful NAT taking place inside the firewall. The "ASSUME" is the naiive part, but it's not actually as bad as you seem to make it.

        2. Anonymous Coward
          FAIL

          Re: A few at fault here

          "Downvote from me, because 5060 only needs to be open to certain IP address(es)"

          Well, you are right, but:

          1. Why the HELL would you be attempting to do this on a BT home hub...ffs you can't even do your own DNS settings on many of these.

          "You would know it if you have ever setup a VoIP base station,"

          Done plenty thanks, and the first rule before go live, is lock the fucking PBX down. I certainly wouldn't rely on a basic home router to do my firewalling when connected to a business phone system.

          This NO better than sticking an unpatched web proxy on a DMZ and wondering why it gets nailed.

          This is people doing it badly and / or cheaply.

          And NOT once have I defended BT, they are to blame as well, but so are so many other people.

          1. chris 17 Silver badge

            Re: A few at fault here

            if you pen tested the internet connection from the internet before the pbx was installed its likely the port in question would have been shown as not listening/down/nothing there just as you would expect if the firewall was configured to drop inbound traffic. Its an undocumented feature on the BT HH thats at fault. even if the pbx was installed and just happened to be offline at the time of a port scan it would have looked like the ports where locked as expected. The fix in this case would be, assuming the pbx runs on *nix, is to enable the firewall on the pbxs and permit only those ports from specific internet IP's.

            Who would bother to test if the firewall was truly blocking for the specific ports in question? When you do the job for a while you expect to trust your equipment, basic or advanced, firewalls generally do as they are told.

      3. Dabooka
        Stop

        Re: A few at fault here

        Quite simple, the need for port '5004-5060' to be open to allow connection is irrelevant; if you lockdown all incoming connections, it should lock them down. If a user then needs it to be open to allow SIP it’s up to them to open it up. Or is that too simple?

        As for BT, I think a simple amendment of the firmware would've resolved this. Surely offering 'All incoming connections will be refused EXCEPT 5060 for VOIP purposes' with another option beneath stating 'Block all connections INCLUDING 5060 (this prevents VOIP working)' would suffice. Or specifiy a port for VOIP (blank means no VOIP). You know, user choice.

        Other than that glaring flaw in your post, I thought the rest of it was alright. The question that needs to be answered though is if the account was set up as business or domestic; that'll put the blame of the HH5a router being used squarely with BT or the firm.

    3. NinjasFTW

      Re: A few at fault here

      As for the "locked down" part. If they did lock down 5060, how was the SIP provider going to get SIP call into the system (unless using a custom port) unless this was open. If they are attempting to justify using a basic router to do complex firewall rules, then god help them.

      You're assuming they want incoming voip calls. The article mentions that the pbx was connected to the voip trunk as well as the pstn.

      I would assume that they were only routing outgoing calls through the voip trunk.

      The pbx installer should probably take some blame if they left an easy access test account.

      However a router that lies to you about its firewall state and then 'helpfully' auto-detects and routes traffic to any voip interface it can find is pretty hard to defend...

      The network engineer who set it up can object all he wants to the equipment he is provided but if the client says just make it work then that's what he does.

      1. Anonymous Coward
        Anonymous Coward

        Re: A few at fault here

        "You're assuming they want incoming voip calls. The article mentions that the pbx was connected to the voip trunk as well as the pstn."

        Even if it was only used for outgoing calls the port has to be open to maintain registration with the SIP provider. If the port's closed, the PBX won't work.

      2. This post has been deleted by its author

    4. Steve Evans

      Re: A few at fault here

      2) I've seen plenty of small businesses supplied with the terrible Home Hub 3 (even worse, the type A).

      TBH, the VOIP fraud attempt volume is quite staggering. I've recently been playing about with Asterisk, and wanted to test by connecting to it externally, it was flooded with attempted call attempts (lucky that I'm not so new in telephony that I had unrestricted outbound permitted!).

      It truly was a staggering volume... It didn't gradually ramp it, it was just there! attempts to dial 9nnnnnnn, 00nnnnnn etc etc... As I said, I didn't have any outbound routing configured, so they didn't go anywhere... But I did decide to have some fun with them by sending back 60 seconds of recorded ring tone... (I know, probably did nothing, but if it held up one if their spider threads for 30 seconds, it's a start!).

      1. Stuart 22

        Re: A few at fault here

        BT are right not to re-imburse. If 5060 had been blocked then it would have had to be unblocked anyway and so the same hack would have happened.

        But BT are at fault for not blocking 5060 on 'All'. Anyone who isn't knowingly using SIP/VOIP who gets hacked through this port should take 'em to the cleaners. As to the distinction between security on a home and business account - I have a home business and I expect the same level of security in either mode. If I'm running a bank or an obvious target for attack I may elect to put in extra firewalls and other stuff but an ordinary business and an ordinary home user should have the same level of protection. Not just for their own sake but to minimise the chance it gets taken as a bot to plague the rest of us.

        And on the grief BT Broadband has given me and my clients over the years - anyone using them should, perhaps, be aware they are not to be trusted for anything other than watching some footie. So, yes, blame all round!

    5. PNGuinn
      Mushroom

      Re: A few at fault here

      ClusterF%$k BT.

      Just because,

  3. Paul Crawford Silver badge

    I would say this is completely BT's fault, after all it matters not if the end user is business or consumer, the kit they supplied LIED to the admin about the firewall being on, and it LIED about UPnP being off.

    More over, this is a known vulnerability that BT has done bugger-all about because it might add to their support costs.

    1. Roland6 Silver badge

      Re: I would say this is completely BT's fault...

      BT's fraud prevention team informed Keith's client that all charges would remain valid since it was not BT’s fault that fraud had occurred on customers' equipment.

      Well can't see BT getting away with this one. If this is the BT domestic home hub that BT supplied when the firm of solicitor's contracted for the BT DSL service then the hub will most probably have been supplied under BT's Ts&Cs which I suspect carry words to the effect that the hub is and remains the property of BT...

      1. Anonymous Coward
        Anonymous Coward

        Re: I would say this is completely BT's fault...

        apart from it's a business and not a home.

    2. Anonymous Coward
      Anonymous Coward

      "I would say this is completely BT's fault, after all it matters not if the end user is business or consumer, the kit they supplied LIED to the admin about the firewall being on, and it LIED about UPnP being off."

      But the port would have to be opened for the PBX to actually work. The end result would have been exactly the same.

      1. NinjasFTW

        unless they are only using it for outgoing voip calls

        1. Anonymous Coward
          Anonymous Coward

          "unless they are only using it for outgoing voip calls"

          ...and they only want outgoing audio to work...

          1. BristolBachelor Gold badge
            WTF?

            "...and they only want outgoing audio to work..."

            Do what now? If I set a firewall to outgoing connections only, can I make outgoing conenctions? Even though to make a connection the other end has to say "YES" to my connection request?

            Or are you saying that "outgoing conenctions" means that it makes no connections, because it can't hear the other end say "YES"?

            and if outgoing connections only means that it can't recceive anything, how does outgoing audio work, without knowing that the connection has been opened, or without negotiating a codec?

            1. Anonymous Coward
              Anonymous Coward

              "Or are you saying that "outgoing conenctions" means that it makes no connections, because it can't hear the other end say "YES"?"

              Some SIP implementations and some routers can't associate an incoming RTP stream with the SIP device behind NAT if your SIP port isn't open to inbound traffic.

              http://www.voip.com/help/residential/installation/networking/install_portforward.aspx

              Remember we're talking about a budget domestic router which may or may not have SIP ALG.

              1. Anonymous Coward
                Anonymous Coward

                SIP ALG in routers is not recommended, it will generally fuck voip up

  4. Montague Wanktrollop

    Really?

    A firm of solicitors. A home hub. A flat network. An Asterisk pbx (nothing wrong with Asterisk in essence but their IT company is happy for them to use a BT home router as their firewall which makes me think the Asterisk config is also full of holes).

    It should be the IT company being fingered for this but I suspect it's one of the solicitors relatives.

    1. Roland6 Silver badge

      Re: Really?

      Yes, I come across lots of small/micro businesses (1~10 people) that use residential broadband, because it was much cheaper (and simpler to order etc.) than business grade, plus as you note the skills to install it are readily available.

      In some respects the takeover of the O2/BE residential broadband by Sky a few years back was timely, as Sky had no real interest in the business users, these users had to go elsewhere. It enabled me to migrate several on to business broadband services because in addition to the need to move, their dependency on the broadband had significantly increased.

      What I find odd is how many of the providers make very little of their business broadband, failing to understand that at the small end of the market where costs loom large, they need to sell the real benefits of the business broadband package over those of their home packages. Also there seems to have been a fall off of domestic packages that explicitly support home working (ie. packages that give all the domestic stuff, plus explicitly support business usage).

      1. chris 17 Silver badge

        Re: Really?

        just what are the advantages of business broadband access to the internet over domestic access to the internet if you are on a best speed possible tariff?

        1. Terry Barnes

          Re: Really?

          just what are the advantages of business broadband access to the internet over domestic access to the internet if you are on a best speed possible tariff?

          Usually things like a fixed rather than dynamic IP address, more subnets available and faster repair times.

          1. Roland6 Silver badge

            Re: Really?

            The point I was making was that there are advantages - as Terry Barnes indicates, but generally you have to dig to find them because the providers make a poor sales job.

            Recently I switched providers and for many the difference in the headline offering at the same price point was for domestic unlimited data and the price included VAT, whereas the business version was capped and VAT was extra. But then the amount of information given out about business broadband is a wealth of information compared to the differences between business and consumer/personal mobile phone tariffs...

  5. This post has been deleted by its author

    1. Ol' Grumpy

      Sorry but the tone of your post sucks. Not everyone who works with IP PBX's is going to be as clued up as you are on the intricacies of BT Homehub security. Perhaps he was an idiot to assume the checkbox that says "block all external connections" didn't do that - I mean, why would he not question that?

      Also, I'm pretty sure that the BT hub doesn't support configurable VLAN's so he probably had no choice but to install the PBX where he could i.e. in the data network.

      The install to me sounds like the result of an engineer who has turned up to install a PBX and tried to make the best of what he had to work with, unfortunately forgetting to delete an account in the process.

      I've certainly been in this position before when I've had a shouty client who expected me to just make it work despite advice at time that this wasn't the best solution given what they had already installed and wouldn't spend any more money.

      1. Anonymous Coward
        Anonymous Coward

        @Ol Grumpy

        "Sorry but the tone of your post sucks. Not everyone who works with IP PBX's is going to be as clued up as you are on the intricacies of BT Homehub security. Perhaps he was an idiot to assume the checkbox that says "block all external connections" didn't do that - I mean, why would he not question that?"

        Even if it did block the port, he'd have had to open it to get the PBX to work - with the same end result. The PBX should have been secured.

        1. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            Re: @Ol Grumpy

            Indeed - but that's exactly the kind of functionality you don't get with ISP supplied home routers. If this router did actually block the port, opening it would have opened it to everyone.

      2. This post has been deleted by its author

        1. Jim 59

          "What you mean is that "the truth hurts"."

          No. He means the tone of the post sucks. And he is right. Huge tonal suckage.

        2. MonkeyCee

          Blame the client

          If you read between the lines the network monkey did what the client asked, and if they had two brain cells to rub together they would have gotten what they did, and any "shortcuts" signed off on.

          At least this is what I do whenever I'm pushed to do something that is not best practise. Or just fucking stupid. So that when somehting cocks up later, and people start screaming, I can point out the issue was identified, and the correction ruled to expensive. Usually someone wants it to work rather than work securely, and explaining it like you've installed a new front door, but locking it is so much hassle, we;ll just let everyone in, because only the right people will come here, yeah?

          Also had clients that won't allow (for whatever reason) you to use a box built as a firewall, it _must_ be Cisco or the ISPs kit. They'd rather have a default corporate product than anything that looks "unprofessional" in the rack.

          If I'm being paid to set your network up as specced, I will. Even if it's a stupid insecure setup, I'll tell you so, but still get it up and running. If you're paying me to secure your network, then I'll secure it, even if it inconveniences people who are using it. I charge different rates because in the first case I am not responsible for stolen data, the second I am. You don't get a free upgrade.

    2. chris 17 Silver badge

      3. It quickly emerged that the IP PBX had been set up on the same subnet as the computer network

      FAIL - not only from a security perspective, but stupid from a networking perspective too. Again, if you want to do a botch-up job like this, you'd better know the implications of it.

      even if they where on different subnets they would need some security (ACL or firewall) between the subnets to make any difference. just having multiple subnets is not enough, Also having the PBX on a different subnet to everything else may not have made any difference here.

      1. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    SBC?

    Was there no Session Border Controller deployed?

    I've not dealt with any deployments on a scale this small before, but in the larger setups I've worked on an SBC is pretty much mandatory - because without one you run into all kinds of firewall problems. Set the rules to protect your network and SIP/RTP won't work properly, set the rules to allow SIP and RTP to work and your firewall is no longer secure.

    What am I missing in this story? If you run an IP-PBX on the same network as your LAN and Internet access, you have to use an SBC.

    1. Steve Davies 3 Silver badge

      Re: SBC?

      How many El Reg readers have even heard of SBC before this article popped up on their screens?

      I certainly haven't but there again, I have never worked in this area of tech.

      As has been said already, using home kit for a business just sounds like a bunch of shyster lawyers wanting to do the job on the cheap. I wish we knew the name of the company then we could avoid using them in the future.

      1. Peter2 Silver badge

        Re: SBC?

        The fact that article indicated that they were running on a telephone system called FreePBX isin't a giveaway that they wanted to do the job on the cheap? I'd never even heard of it, and I would wager that it was not installed by a professional.

        That said, I do work for a law firm and rarely get a week without somebody trying to sell me a brand new IPPBX. I am assured by roughly eight of ten sales people that I have contact with (usually via email as our reception intercepts and discards most sales calls for me) that I can run an IP PBX on my internal network and on my existing internet connection without needing to worry about security, QOS or having sufficant bandwidth. This usually comes with a quoted price tag of approximately 6x the price of the equipment and installation I have from a company I know is competent.

        1. Jamie Jones Silver badge
          Devil

          Re: SBC?

          "The fact that article indicated that they were running on a telephone system called FreePBX isin't a giveaway that they wanted to do the job on the cheap?"

          Those who have ever used FreeBSD would strongly disagree.

  7. Frank Bitterlich
    FAIL

    Blame Game

    I wonder why so much focus is put on the part that the router was meant for home use and not SMB. Would that have made a difference if it were a home network (not a few people use Asterisk PBX at home too) ? Yes, one difference: The SIP passwords would more likely have been "123456" instead of 256 bit.

    Also, there are more than enough valid reasons to use SIP on the same subnet. One of them being that you might want to use software-based SIP clients.

    To me, the router is broken. A firewall is not a firewall if it doesn't obey its configuration. And enabling UPnP funtionality when UPnP is off (if it is true that the router actively searched for a SIP device, then it's probably not really UPnP, but even more troubling), in my eyes, is "broken" too.

    "Sure, Sir, that belt you just bought doesn't work, but it's you own fault that you didn't wear suspenders too."

    1. Roland6 Silver badge

      Re: Blame Game

      >I wonder why so much focus is put on the part that the router was meant for home use and not SMB.

      Yes, particularly given BT supplies the Hub 5 as standard on its business broadband...

      EE similarly will supply the same hardware (BrightBox2) to residential and business customers.

      From what I've been able to ascertain the boxes run identical firmware... differences arising from the preconfigured login details being used to offer a different line QoS and routing of traffic out of the exchange.

  8. Malcolm 2

    HH3

    I am perhaps showing my ignorance / naivety here, but when I signed up for BT Infinity on my business account, the only choice I got from BT was a Home Hub 3. Is there a business alternative? The HH3 is fairly c..p, but I have yet to find a good replacement. Suggestions welcome.

    1. Montague Wanktrollop

      Re: HH3

      If you're an SME I'd recommend a Draytek Vigor connected to your HH3 via an Ethernet cable. There's plenty of help on this setup on t'interweb.

    2. Irongut Silver badge

      Re: HH3

      ANY router would be a good replacement for a home hub.

      Draytek and Edimax make good models for SOHO users.

      1. Anonymous Coward
        Anonymous Coward

        Re: HH3

        Interesting that El Reg allow suggestions about alternate hardware to be made, but reject a post I made on a useful port scanning tool that allow you to check your Home Hub's open ports from the Internet.....

    3. jason 7

      Re: HH3

      Yeah I haven't seen any business that's signed up with BT getting one of the old classic BT business routers (which were actually not bad).

      All I've seen issued to business is the old HomeHub3 which also commits the crime of not having any external wi-fi antenna mounts.

      Apparently one business customer was told by a BT engineer they were under strict orders to only issue older HH3's to business folks.

      I guess the HH3 was all the Indian support folks could handle over the phone via a script.

      1. Vince

        Re: HH3

        I see HH3 devices all the time given to BT business customers, I assumed this was the expected behaviour and by all accounts it is...

    4. Roland6 Silver badge

      Re: HH3

      Warning!

      If you've connected your HH3 directly into BT's wall socket, you will need to ensure whatever router you pick to replace it is certified to also operate in the same manner, many don't. If however your HH3 connects via an ethernet cable to a modem which in turn connects to the wall socket, you have much more choice.

  9. Voland's right hand Silver badge

    They are _NOT_ selling the access

    I have been hit by this scam when migrating firewalls a couple of years back. I had a 5060 redirect opened by mistake for 48h and paid for it. Thankfully I had rate limits on my outgoing calls so the attacker DOS-ed himself by trying to call too many times simultaneously so it costed me only ~ 20-30£ instead of 2000+. Prior to that, a colleague of mine was hit for $500 or thereabouts.

    1. The access is _NOT_ resold. This part register got WRONG. They can see the numbers - they all go to the same country and some number block, if not same number.

    2. The access is used by a bulk dialer to dial premium rate numbers in sub-Saharan Africa, Maldives and a few other destinations. The destination shares the revenue from the premium call with the caller. This _IS_ how this scam works.

    3. After being hit, I set up a honeypot and this is what I got from the logs.

    3.1. The attackers are nearly allways located on networks belonging to Palestinian Authority terrirories and more recently (and to a lesser extent) neighbouring regions - Libia, Egypt, Syria, Lebanon. Using a compromised system elsewhere for the dialer portion of the attack (as in this case) is an exemption, not the rule.

    This can be proven by giving the original dialer some trouble. Throw some errors, call rate limiting, etc. If you do that, you will see the original IP disengage and a new IP (probably human controlled from console) engage from a Middle East network. There will also be repeated scans after that for usual security through obscurity suspects like port 15060, etc for months. Most of these also come from "manual" attack and from Middle east, so I would suggest setting a honeypot there and then.

    The money from the scam is specifically used to finance err ... (well, make your guess based on location of the scammer). So the solicitor firm involved in this case can solicit their group of choice in that region to put a special thanks on the next missile flying across the border for sponsoring it. And no, I am not joking.

    3.2. Based on the locations involved, the there is reasonable grounds to believe that part of the criminal code applicable here is not fraud, computer misuse, etc. It is sponsoring terrorism. Considering that we have solicitors involved I think it will be a good idea to pool for some popcorn to watch the show.

    4. FreePBX as an Asterisk derivative has ACLs on extensions. You _MUST_ configure those to your private LAN even if you never intend to open external access. This is especially important if you use old phones like early Cisco 7960 with pre-version 8.0 OS which do not accept complex passwords. For everything else AutomatedPasswordGenerator (apg), SIP-TLS (if supported) and sRTP (if supported) are the real answer. In addition to that, prohibiting any outgoing calls to zones outside 1 and 3 in the dialplan is a good idea too. 1 needs to be doubl-checked as well to ensure that it is not one of the outlying islands which will allow the attacker to set-up a sink for the scam. For more info: http://countrycode.org/

  10. Anonymous Coward
    Anonymous Coward

    Whats the point of home SIP anyway?

    If you already have a BT landline installed just use a POTS phone. The voice quality is better, its a LOT more reliable and to "hack" it you'd need physical access to the box or exchange.

    Sorry, I just don't get the point of using SIP at home other than its something for geeks to brag about to other geeks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Whats the point of home SIP anyway?

      "Sorry, I just don't get the point of using SIP at home other than its something for geeks to brag about to other geeks."

      I know some non-tech people who use DECT sets like the Siemens Gigaset. It use the phone line plus a couple of SIP lines to give the household multiple phone lines. I think it uses the SIP connection for international calls and the landline for domestic ones, or is configurable so you can choose.

      People rent SIP connections from Skype to these phones as well and they ring differently when the call's from Skype, so you can use one set of phones for domestic use and running a business form home or taking work calls or what have you.

      They need 5060 open to work though - as would the PBX in this case.

    2. Steven Davison

      Re: Whats the point of home SIP anyway?

      @ Boltar,

      I can think of a few:-

      1 ) Learning - how to install, setup, secure a SIP system

      2 ) Call Handling - you can drop calls you don't want automatically, and redirect other calls elsewhere (like known friends to mobile etc)

      3 ) Cheaper Call Rates - if you call internationally, it may be cheaper to use a sip service than a POTS.

      4 ) voicemail - answer machine with more options than your average BT phone. (Voicemail to email etc)

      5) multiple lines, single line rental - multiple DDI's for different things (personal & business etc)

      I'm sure there are more reasons, too!

      1. Bronek Kozicki

        Re: Whats the point of home SIP anyway?

        I have home SIP, the reason is that I gave up BT phone line after I got fed up with daily cold calls from various scammers (insurance etc.). After the experience I decided that I need not a one number, but a whole range of numbers, of which one number will go to close friends and family and others to various other places. After the move I quite liked the experience and also, for many international calls I make (both Europe and US) the call quality turned out to be much better than BT, and also significantly cheaper - an order of magnitude or so.

        At this moment, to me the question is not "why would home user want SIP" - it is "why not want it", with one possible answer "lack of skills and motivation to learn". Which is pretty lame on ElReg, I think you will agree.

        1. Anonymous Coward
          Anonymous Coward

          Re: Whats the point of home SIP anyway?

          "At this moment, to me the question is not "why would home user want SIP" - it is "why not want it", with one possible answer "lack of skills and motivation to learn".

          This might come as a shock to you - but some things in life really should just be plug and play. A phone is one of them. I might be a techy but I don't find phone systems the slightest bit interesting and I have ZERO interest in faffing about configuring a device that should Just Work.

          "Which is pretty lame on ElReg, I think you will agree.""

          No, I wouldn't actually. Do you buy a car from a garage or build one from a kit each time you get one? Right. Same thing. Different people have different interests. Deal.

          1. Anonymous Coward
            Anonymous Coward

            Re: Whats the point of home SIP anyway?

            "This might come as a shock to you - but some things in life really should just be plug and play. A phone is one of them. I might be a techy but I don't find phone systems the slightest bit interesting and I have ZERO interest in faffing about configuring a device that should Just Work."

            Isn't that how we've arrived here though? People wanting to plug SIP devices into their network and have them 'just work' needs your ISP router to have settings enabled that someone could exploit? Especially if you plug a PBX into it instead of a cordless phone.

          2. Jamie Jones Silver badge

            Re: Whats the point of home SIP anyway?

            "

            "Which is pretty lame on ElReg, I think you will agree.""

            No, I wouldn't actually. Do you buy a car from a garage or build one from a kit each time you get one? Right. Same thing. Different people have different interests. Deal."

            His point was that ElReg is a techie site. The analogy regarding a car would apply if the comment was written on a kit-car enthusiasts website, thus showing it's actually not as stupid as you make out.

            1. Anonymous Coward
              Anonymous Coward

              Re: Whats the point of home SIP anyway?

              "His point was that ElReg is a techie site."

              His point was that unless you're interested in absolutely everything technical no matter what then you have no business on this site. A stupid and naive point of view.

        2. David Nash

          Re: Whats the point of home SIP anyway?

          "At this moment, to me the question is not "why would home user want SIP" - it is "why not want it", with one possible answer "lack of skills and motivation to learn". Which is pretty lame on ElReg, I think you will agree."

          Yes, except this article demonstrates how fraught with potential pitfalls this area is. I am pretty technical and looking at my home network setup would scare and confuse any joe user not familiar with it (much like that of many reg readers I guess) but I don't know much about this stuff and on the basis of this story would certainly avoid it unless I'd done a ton of research.

          I too would assume that "block all ports" means just that. The argument that it needs to be opened for the service to work is not a valid one in my view, because in that case the person doing so would at least be aware that they had opened a port, and could consider the implications.

          1. Bronek Kozicki

            Re: Whats the point of home SIP anyway?

            I too would assume that "block all ports" means just that. The argument that it needs to be opened for the service to work is not a valid one in my view, because in that case the person doing so would at least be aware that they had opened a port, and could consider the implications.

            Yes obviously you are right, it is person setting up SIP who would open this port, and only to certain IPs. SIP setup is well documented, I for one used http://wiki.aa.net.uk, because that is also my SIP provider (in addition to being my ISP).

            It is BT fault that there seem to be no way to properly close ports on their modem, and SIP is just a background here really - they seem to have done the same with SNMP , for f*** sake!

    3. Joe Harrison

      Re: Whats the point of home SIP anyway?

      SIP at home works well and the benefits are mainly the cheaper calls. I had the complete Virgin Media package but the monthly bills were horrendous because of the family yakking all day on the expensive VM phone line. After I made a one-off purchase of a Sipura ATA I was massively better off.

      I did consider if the new setup implied any extra security adjustments but soon decided it was not worth much effort as my maximum financial exposure would be the balance of a tenner's credit on my Sipgate account.

    4. Voland's right hand Silver badge

      Re: Whats the point of home SIP anyway?

      1. Voice quality is _NOT_ better. I have had HD voice to international for a decade now. BT does not have HD voice even locally. You get what you pay for - crappy narrowband PCM.

      2. It is _NOT_ more reliable. If you use a proper provider (f.e. sipgate), it is at least as reliable if not more.

      3. It allows you to have an arbitrary number of phones in a house. I have an office number, kids have their numbers, the house has a number of its own, etc.

      4. You can use it as PBX internally and to close relatives. Grandma has not paid for a penny to pester the offspring for nearly 10 years now. Neither have we returning the calls. With wideband voice for most of the duration.

      5. It is significantly cheaper. If I have to I can just dial into a US conference bridge and pay nothing. Even if it is toll, I still pay ~ 1p a minute. Try that with BT. No, calling cards do not count because the call quality is crap.

      6. I do not have my phone sold to every single Harry and Sally from a double glazing or ambulance chasing company despite being ex-directory and in the phone preferences list.

      7. Each of our mobiles is an extension and I can still get my calls abroad at no cost courtesy of SIP/TLS and sRTP (subject to working wifi).

      And so on. I have had SIP (with a non-UK provider) since may 2004 and full house VOIP since 2005. I killed the landline partially in 2007 and fully ~2010. I have never looked back. Copper phone? Better? You gotta be kidding or you really have no clue what you are talking about.

      1. Anonymous Coward
        Anonymous Coward

        Re: Whats the point of home SIP anyway?

        "2. It is _NOT_ more reliable. If you use a proper provider (f.e. sipgate), it is at least as reliable if not more."

        Hahahahahahahahahahaaaa . Aaaah , I needed a good laugh this afternoon. Yeah, UK broadband is soooo reliable. Never just goes down for 24 hours for no apparent reason does it. Never slows to a crawl in the evenings - or all day if you're rural if you even can get it. Never mysteriously filters your connections.

        I've had both BT Broadband and Virgin and I would never trust a 24/7 connection to either of them.

        Oh yes, FAR more reliable than POTS. But only on your planet presumably.

        1. Bronek Kozicki

          Re: Whats the point of home SIP anyway?

          @AC I suggest you change your ISP. Seriously, you obviously never had a good one.

          1. Anonymous Coward
            Anonymous Coward

            Re: Whats the point of home SIP anyway?

            "@AC I suggest you change your ISP. Seriously, you obviously never had a good one."

            Suggest a good UK home ISP then. One that can guarantee 24/7 uptime for emergency calls. I'm waiting...

            1. Bronek Kozicki

              Re: Whats the point of home SIP anyway?

              "guarantee 24/7 uptime for emergency" none will guarantee that. Your old POTS line also does not come with a guarantee either (even though most people assume that it does). That's what you want multiple phone connections for (mobiles do count). However I can recommend a good ISP for you, see my other posts.

              1. Anonymous Coward
                Anonymous Coward

                Re: Whats the point of home SIP anyway?

                "Your old POTS line also does not come with a guarantee either (even though most people assume that it does)."

                Maybe not. But in the 20 years I've been paying for my own POTS line its gone down once when a truck destroyed the cabinet. ONCE. My cable broadband connection has been down 4 times this year alone. And I don't mean for a few minutes - one instance was for 2 days.

        2. Anonymous Coward
          Anonymous Coward

          Re: Whats the point of home SIP anyway?

          "Oh yes, FAR more reliable than POTS. But only on your planet presumably."

          The UK PSTN has been up - if you count widespread automation as the start date - for 57 years. No downtime. Individual lines and exchanges have failed but the network overall - up and running, 24/7, since 1958.

          That's going to take some beating.

  11. Cuddles

    "it had a weaker password (though I wouldn’t have called it insecure by any means) and the attackers had managed to crack that."

    I'd say the second part rather contradicts the first there. The definition of a secure password is essentially one that will take an infeasibly long time to crack by brute force (as well as not being easily guessed, etc.). Given that scamming phonecalls for a couple of grand is unlikely to be the work of major nation-states throwing supercomputers at the job, I think it's safe to say that said password was, in fact, entirely insecure.

  12. Christopher Lane
    Megaphone

    Mutter all ye want...

    ...but we all know that SME's and micro businesses basically want it all for nothing. Hence the immeasurable amount of software license fraud, wrong kit, bad kit, chewing gum and sticky tape holding the IT infrastructure for businesses in the bracket of "Small firms accounted for 99.3 per cent of all private sector businesses in the UK" (Source:http://www.fsb.org.uk/stats) together.

    Until it's cheaper, easier and "just works" the baddies will always have a field day...but then so will we all be employed fixing it all so there's always a silver lining I suppose...

    1. phil dude
      Thumb Up

      Re: Mutter all ye want...

      So perhaps they should make it all FOSS and then work together to make secure software?

      Let's face it if Pwn2Own can rip holes in browsers, I don't hold out much hope for random software on an embedded system.

      It is time that liability is attached to closed source software AND hardware, to form appropriate limits.

      I suspect this may lead to the creation of a funded "third party" development organisation, something like mozilla but with the DD-wrt type deployment.

      I will put it in crayon for the downvoters:

      FOSS DOES NOT GUARANTEE BUG FREE, BUT IT GIVES A NON-ZERO CHANCE OF FIXING IT.

      For as long as there is not liability for crap software, crap software will be standard.

      P.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mutter all ye want...

        FreePBX is Open Source and is not embedded.

  13. DSmithy

    First of all what idiot uses home equipment in the office?

    Secondly if you want a system to be secure you use an business standard router for the traffic then you put a security device for security reasons.

    The amount of our customers we see using router firewalls and having nothing but issues amazes me

    1. David Nash

      I'm interested to know why it seems to be considered OK for home routers to be insecure.

      A router should be secure, and in that case could be useful for both home and small business.

      If it's insecure it shouldn't be considered for home or business.

      1. Terry Barnes

        Different types of LAN have different things connected to them.

        A home router is insecure in a business environment would probably be a better way to describe it. Business kit - like perhaps a PBX or an FTP server or a payments portal - requires such a level of sophistication in setting up things like firewall rules that someone who doesn't do it for a living can only get it wrong.

        The home kit has a fairly simple set of pre-defined rules set up that will work in most cases for most people, with some minor configuration possible by the user. The business kit is endlessly configurable to meet the needs of the business and services using it.

        I might use a £10 padlock to secure the little shed in my garden with a few tools in it. I wouldn't use the same lock to secure my business premises. Equally my business premise security wouldn't be affordable at home. Products are secure or not depending on the context in which they're used.

  14. rob_leady
    FAIL

    I wonder what other ports are open on the Home Hub ?

    In the past I've noted that the firewall on my PC which is sat behind a Home Hub 5, has blocked incoming connections, even though the HH is set to block everything and there's no NAT configured.

    Must remember to check what ports were being let through when I get home tonight...

    1. Bronek Kozicki

      Re: I wonder what other ports are open on the Home Hub ?

      Please to let us know if 161 is open on yours, too

  15. Neil Brown

    FreePBX

    I'm happily using FreePBX at home — as a lawyer, it started as a way for me to learn more about VoIP and over the top communications services to be able to give better advice, and ended up being useful enough that I keep it going.

    - My understanding is that 5060 need not be open, if the PBX registers outbound with the SIP trunk — the FreePBX GUI makes this very easy, if the trunk provider supports it

    - If 5060 does have to be open, could it not be limited to certain IP ranges of the trunk providers?

    - If it has to be open fully (e.g. to permit incoming SIP URI calls from any originator), FreePBX comes with fail2ban pre-installed, and there is an "intrusion detection" function in the GUI: configuring it to read from the security log and to ban an IP after [x] failed password attempts was not trivial (for me), but I did get it to work

    (I wanted incoming SIP URI calls "because I can" rather than for anything else, and it generates a lot of spam (spit?) which needs to be handled — separate to password attacks — but, so far, that has seemed manageable.)

  16. Alex Brett

    This is almost certainly someone's attempt to workaround some of the NAT issues you can experience with SIP - I suspect they've set it up so that when an outbound SIP connection is made outbound, *all* connections to port 5060 are NAT'd back to the host that made the connection so if a reply comes from a different address (which is allowed in the SIP standard) it still gets through, probably combined with an ALG that is translating internal IPs in the SIP message into the external one. Normally you'd expect your NAT device to just accept packets from IPs you'd connected out to (the service provider in this case).

    If it's a phone connecting out that's not a big problem, as most phones these days can be (and should be) configured to ignore traffic that's not from the configured server / proxy, and even in the worst case all that happens is they ring - they're not going to end up placing an outbound call.

    I can understand smaller installers not thinking to put brute force protection on a PBX that they are not intending to expose to the internet - unless you've seen issues like this and had to deal with the crazyness of ALGs etc you wouldn't expect it.

    Frustratingly all these sorts of things (ALGs in particular) actually normally make VoIP less likely to work - any competent ITSP will have a Session Border Controller (SBC), or something carrying out the same functions, at their end, which will just handle the NAT issues (i.e. all signalling will come back from the same IP and where necessary they will proxy the audio etc). However, with an ALG, 9 times out of 10 (at least in my experience) it has 'modified' the SIP messages in such a crazy way that the SBC can't work out what to do, and so you get one way audio or calls cutting off after a short time etc...

    1. Anonymous Coward
      Anonymous Coward

      Yes - I agree. It sounds like the router is set up to allow SIP DECT handsets like the Gigaset ones to work without needing any router config by the user. There'd be no security issue because those phones use TLS - so the worst you'd get is a denial of service attack. Having the router look for a device is understandable, because why would you connect it if you didn't want to use it?

      If you put a PBX behind the same connection though and don't protect it with an SBC and lock down the PBX, bad things will happen - assuming it even works at all. I've never worked on installations this small, but one of the smaller Ingate Siparator models is probably appropriate - it does need the customer to want to spend money though.

      You can't safely run SIP traffic through a firewall only solution, in my experience.

  17. Dave Harvey

    This was all known about over 2 years ago

    See: http://communig8.com/articles/67-technical/143-hh3-security-exposure

  18. asdf

    #1 home router rule (for IT people anyway)

    Never ever run stock firmware except long enough to flash decent firmware on home network gear. Almost all of it by the all major companies is complete shit. Always makes sure network gear is supported by open source firmware or don't buy it. You simply can't trust the support of the manufacturer for closed source stuff for low end network gear. For DSL routers put them in transparent bridging mode and have a decent router behind handle the big boy stuff. Sadly a router is not like a toaster and is not safe to treat as a black box. You don't do banking through your toaster.

  19. NeilPost

    Disingenuous Kick a Telco story

    Rather a convoluted and disingenuous story, miles away from the headline.

    - Solicitor Business uses domestic Hub in a business

    - Business also uses a VOIP soft PBX

    - Convoluted flaw exposes issue

    A very poor story, even the Daily Mail would be ashamed off.

  20. T I M B O

    Typical BT if you ask me. They never do anything wrong, everything they do is perfect. If the default settings are secure then why have the option to make it insecure without pointing out a warning. I personally would never use BT, they are RUBBISH!!!!!!

  21. All names Taken
    Joke

    Tee hee?

    "... starting to run SIP, so could explode as a source of toll fraud"

    Of course BT is not going to change anything.

    It has made an extra £90 and hopes this figure will increase over the years to come.

    I mean, why else put a backdoor in like that?

  22. Anonymous Coward
    Anonymous Coward

    sometimes, the real world sucks.

    Sometimes, your customer have inbound numbering from a variety of providers, who may not necessarily be responsible for the outbound trunk....this could be handled by a few providers as a failover. And they give you a name to connect to, not an ip, as their equipment changes too.

    I'm saying...blocking 5060 and allowing only certain ip's creates a problem. Your inbound numbering provider may have agreements with other providers to take over the inbound role when they have maintenance schedules, so you cant be 100% sure WHERE your inbound number is going to call from (ip address).

    So in some situations, you do just need 5060 open. Because the boss also compains like hell that his iphone uses a lot of battery when he needs the vpn on fulltime (*groans*). And wehn he goes to Spain for holiday, he needs his phone to work there.

    Anyway, so 5060 open to all and sundry is sometimes a configuration you are forced to work with.

    A few glaring stupid problem with ths law firms config for sure, and they got what they deserved, damn cheapskates now trying to pass the blame.

    Anyway, assuming 5060 needs to be open to all and sundry, you will see your logs flooding with sip attemps.

    There's two things you can do and should do, and as they had freepbx I;m not crying any tears for them.

    a) the default context should route nowhere, and have no access to anything.

    b) as mentioned above, fail2ban for the password guessers.

    The "toll fraud" is about buying a premium number with kickback, then finding other people's pabx to dial your number. You cant really keep on top of this using outbound dialling rules, as globally, new number ranges are created all the time, and they will always find a number you think is locost but is actually £5/minute etc. And then the boss complains he cant dial his friend in Australia.

    Its a bit like driving in the real world....lots of things you shouldnt do, but end up doing "because xyz".

    Fail2ban

    read up about it. Use it.

  23. Anonymous Coward
    Anonymous Coward

    so many dummys in here

    This is hilarious, most of you are talking bollocks.

    The security testers seem to be useless..

    Some of you that work in big businesses, presume you need all the expensive shit your suppliers have sold you (SBC's funny as f**k!, firewall and voip switch combined, salesman saw you coming!!), Work on IP stacks then you might understand why!.

    I don't like BT, but in this case they do have a point.

    Any of you thought about the packet type, voip is done over UDP.

    The common way to get through NAT is to punch a hole out which sets up a return path, due to the way UDP is done in firewalls, it does not matter where the packets are sourced from on the incoming side.

    Even if the PBX was only using voip for out going calls, not incoming, the moment it sent a sip request over UDP to the voip provider a hole was punched in the reverse direction.

    Once you go out with UDP, a hole is left open, that is what let them in.

    (It used to be skypes secret sauce).

  24. Adam JC

    Whilst I do genuinely feel for the engineer and BT are mainly to blame; this is EXACTLY why I double up my firewall configuration not just on the router, but on the PBX itself using IPTABLES just in case someone else turns up and decides to swap out the router and/or mess with the firewall configuration.

  25. Anonymous Coward
    Anonymous Coward

    My research on this..

    Initially I called bullsh*t on this.. but it seems the flaw is real.. here is my test setup, screenshots and research:

    https://thecomputerperson.wordpress.com/2015/04/03/bt-home-hub-5b-5-b-and-the-sip-flaw/

  26. Anonymous Coward
    Anonymous Coward

    Did BT Admit Liability?

    I can see that they issued a public statement about not admitting liability, but did any of the companies affected get their charges removed. I have been hit with this bug and they are refusing to refund.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like