"Rogue" 911 Call

Oye… always a fun battle. I got an alert from our provider that an Unregistered 911 call had been placed. Basically saying that a DID which doesn’t have E911 configured had dialed 911. Well and good except 1) no one was there to make the call 2) they charged a $250 fee.

So now I’m trying to dig into how the colorful words this could “happen”.

Basically the extension it was dialed from apparently is an analog phone adapter, which is connected to a pushbutton call box that calls a pre-defined number. It does not dial 9 to get out or any string of characters that would accidentally dial 911.

So how on earth could an extension which doesn’t have an actual phone attached to it, which is a Viking door phone that dials a pre-set number end up calling 911?

I reviewed the camera footage and there’s no activity in the building at any point during this period and it’s night AND we’re all on damn lockdown with the virus.

So now I have to determine how this happened or be charged $250? for a line that isn’t even used for 911.

Locate the 911 call in the Asterisk log and paste the log from one minute before through the end of the call at https://pastebin.freepbx.org and post the link here.

Possibilities include ATA hacked to forward to 911, ATA’s credentials stolen and the call came from outside, or a call transfer or similar vulnerability on an incoming call. Anything in the CDRs shortly before the 911 call?

If the ATA is Cisco/Linksys, the Info page will show last caller and last called numbers, as well as other possibly useful data. On Obihai, the Call History page has many details. Also, look at the ‘user’ config of the ATA for any suspicious forwarding, speed dials, etc. Post make/model of ATA and door phone.

It is a Cisco SPA112.

I’ve attached the call log for that transaction, what’s the best way to filter based on the System ID for that call or date range for what I should export to pastebin?

Assuming that the system was idle at the time of the malicious activity, don’t filter anything. Search the Asterisk log for
[email protected]
and take everything from a minute before through the end of the 911 call, redact as desired and paste.

Also, anything useful in the SPA112 GUI (last called number, forwarding settings, etc.)?

Filtering based on [email protected] only shows

[2020-04-03 21:14:32] VERBOSE[8702][C-00001ce7] pbx.c: Executing [[email protected]:1] Macro(“PJSIP/EXT29-0000121f”, “user-callerid,LIMIT”) in new stack

[2020-04-03 21:14:32] VERBOSE[8702][C-00001ce7] pbx.c: Executing [[email protected]:2] Set(“PJSIP/EXT29-0000121f”, “ROUTEUSER=EXT29”) in new stack

[2020-04-03 21:14:32] VERBOSE[8702][C-00001ce7] pbx.c: Executing [[email protected]:3] Set(“PJSIP/EXT29-0000121f”, “ROUTEUSER=EXT29”) in new stack

[2020-04-03 21:14:32] VERBOSE[8702][C-00001ce7] pbx.c: Executing [[email protected]:4] GotoIf(“PJSIP/EXT29-0000121f”, “1?notblind”) in new stack

[2020-04-03 21:14:32] VERBOSE[8702][C-00001ce7] pbx.c: Executing [[email protected]:7] GotoIf(“PJSIP/EXT29-0000121f”, “1?restrictedroute-c4ca4238a0b923820dcc509a6f75849b,911,2:outbound-allroutes,911,2”) in new stack

I’ve attached the full log, https://pastebin.freepbx.org/view/fefca3bc

Which shows the outbound and then the inbound back in

I have not been able to get to the site yet to look at the actual log on the SPA

Follow up; I got into the admin interface for the SPA however logging is not turned on. I’m assuming that’s the section I’m looking for and there’s not a separate area that keeps a log of whats been dialed?

I went to the IP and logged in as the admin user and went to Administration > Log > Log Viewer and the file was empty. Looking at the Log > Log Module it is set to disable by default

Is there a separate spot I should be looking?

On the Info page, there should be an entry “last called number” or similar. This assumes that no calls have been made through the device since the rogue call (which you can determine from the Asterisk logs).

Also, look at the User page to see if anything looks amiss.

If the device did not make the 911 call, since your log showed no activity immediately prior, it seems that either the SIP credentials for the ATA were compromised (and the SIP port is accessible from an external IP), or the PBX config was somehow hacked (is your admin GUI publicly accessible)?

Can you find out the contents of the 911 call? It may be possible to get law enforcement to help with the issue. Spoofed 911 calls are sometimes used to SWAT the victim; that obviously didn’t happen but the dispatcher may have realized the call was fake. The other common motive is to divert police to various bogus locations, to delay response to a planned crime. In this case, there were likely several spoofed 911 calls other than yours at about the same time.

the 112 doesnt keep a log but can be set up to send to an external syslog server

From looking at the non-sanitized log [2020-04-03 21:15:22] VERBOSE[8931][C-00001ce8] pbx.c: Executing [[email protected]:13] Set(“SIP/PROVIDERIP.31-00000b03”, “THISDIAL=PJSIP/EXT29/sip:[email protected]:5060”) in new stack

It does list the extension SIP IP address as the IP address where the adapter is located. This is the first instance of the IP being listed right is a few seconds after the call is placed. So it would seem to me that it would mean the call “was” initiated from the adapter and not another source?

I was unable to find anywhere in the SPA where it would list the last called number, as Dicko said it doesn’t seem to keep a log by default, you can enable an external one.

This means that a call came in from the provider and your PBX is routing that call to the device registered to Ext 29. Now here is a question, did you actually create a PJSIP extension called EXT29? Seems very odd that you would have EXTXX for extensions on the PBX because it would make it hard for internal extensions to dial them (unless you’re aliasing a crap ton of extensions).

So this call is coming into the PBX from the PSTN, dialing this contact/device and then sending the 911 call out it would seem.

The extension ID is actually a full 10 digit number I just sanitized the log so the ext number which is actually the DID isn’t public.

So even further I’d find it hard to think the credentials were just brute forced as the ext number isn’t just 3 or 4 digits and the password is a secure generated pass.

Is there a way to view then what IP was registered to that extension at the time? Would that just be looking further back in the log (an hour or more) to see the last registration to that extension I guess then? If that one just seems to be the inbound return call.

It doesn’t seem any activity even happened on a call the outbound call was only 30 seconds in length.

OK, so that doesn’t change what is happening. It just means that it’s not a fake or rogue contact for the AOR.

Again, the call is coming in over the trunk and dialing the extension based on what you’ve shown. If the 911 call comes from that extension right after that then it sounds like something if redirecting that call to 911.

So I’m a bit perplexed then at the moment? Am I at a dead end?

Oddly enough we had an earth quake that same night but that was 2 hours before. No power outages or any issues I’m aware of to cause a fluke at the site.

So I’m not sure where to dig into at this point?

The chain of events were outbound call to 911 a minute before or so, then 911 called back in as the call was disconnected after 30 seconds of going outbound

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.