Hunting for valid extensions - IVR timing bruteforce vector


I’m new to the FreePBX community and just recently configured my own server and in testing IVR behaviors, I noticed something that I couldn’t find an immediate way to address. The issue I’m referring to is in regards to how a robot or human can essentially hunt for valid extensions by performing a timing based bruteforce.

This is how it operates. You have an IVR setup that will prompt a user for a valid extension before forwarding the call to the appropriate party. When the user presses keys that are not associated with a valid extension prefix, they are prompted with an almost instantaneous message, “Invalid entry, please try again.” Now if the caller starts cycling through the numbers, eventually they will hit a number that will introduce a slight 2-3 second pause before reporting back that the entry was invalid. This inherit nature of how the IVR system operates makes it vulnerable to timing analysis. This probing provides the attacker the first valid number for the extension and is then repeated for the other subsequent numbers and eventually the attacker will land at a valid extension. I realize that this is likely not new news to anyone but wanted to reach out to the community to determine whether or not there was a way to mitigate this. I’m also aware that eventually, trying all of the available numbers, (4) digits in my case will eventually lead to a valid extension that rings but using this method above will allow anyone the ability to discover valid extensions much faster than a traditional bruteforce.

Has anyone else come across this and if so, what have you done to mitigate this?

Thank you.

either send the invalid destination to hang up or go to voice mail immediately or give them 1 retry before hanging up or going to voicemail. they can of course keep calling back but if they do, add them to the black list

The extension numbers on a system are generally not considered private, many admins set up a directory that actually tells callers what the local extension numbers are. So I ask, what does a hacker gain by going through this exercise?

@lgaetz, I’m using the PBX for personal, non-business related use and since one of the extensions rings my personal cell phone, I didn’t want to outwardly publish the directory to anyone dialing into the system. The thought is that with it’s current configuration, it would thwart potential telemarketing calls or other nuisances. I realize that this use case is likely non traditional in respects to how the FreePBX system is generally used. To answer your question, the attacker would gain the ability to annoy anyone behind the system. Surely you could block any offending callers and create filtering rules to block any toll free, anonymous and restricted numbers but this doesn’t solve the aforementioned.

I was just curious if anyone else was using the PBX in a similar fashion and had any interesting ways of addressing this. I had thought of creating dummy extensions from 1XXX - 9XXX so that they all behave the same way but felt that was a little inefficient.

@bksales, thanks for the suggestions, that does seem like a quick and effective way of addressing this.

On my home system, I have fax detection enabled for inbound calls, which injects 4 seconds of ringing after answering but before the call goes to a ring group. This step filters out about 90% of non-robot spam calls. If a spammer can’t be bothered to wait 4 seconds for a human to answer, they won’t spend any effort trying to guess IVR destinations. From my experience, I would say your concern is more theoretical than realistic.

In addition to ringing (re @lgaetz), I add a “voice mail style” greeting to every call. Between the FAX detection and immediate drop to something that sounds like voicemail, I’ve cut my SPAM calls down to 1 in 100.

@lgaetz, I appreciate your feedback in this matter and will use the collective feedback to navigate around this.

@cynjut, thank you for the suggestion.