Toll fraud

(Alex Palenschat) #1

We recently decided to work with Sangoma Connect so that our employees could access the PBX on their smartphones.
Everything was fine and I had worked with this document in order to try to make it secure, but a couple of days ago someone was able to start making a bunch of toll calls from one of our extensions and it triggered the fraud alert at our SIP trunk provider. Luckily we had disabled International calling and the monetary damage was negligible.

I’m not sure where to begin trying to figure this out. I checked the secret on the extension and it was generated by the system and fairly long. All of the other details in that document are in place other than white-listing my clients as I don’t have a way to do that.

Where else should I look? What logs to read in order to figure out where the hackers came from or got in? We’re running the latest distro and it’s entirely patched up.

For now we’re running with toll calling disabled at the vendor.


The asterisk log should show the IP address used by the given extension so you can determine where they came from.
(Though I don’t use Sangoma Connect, so don’t know if all remote phones using it show up with the actual device IP in the SIP registration on the PBX itself). You can check this by checking the IP info shown in asterisk for a cell phone using Sangoma Connect. i.e. pjsip show endpoint XXXX

(Alex Palenschat) #3

Ok, I can see in the asterisk “full” log the contact being added. But there isn’t anything else in there that looks different than any of my sangoma connect users, other than a few failures on a different extension from the same ip before it was successful.

But I’m not sure where that leads me. Does that mean that the hacker supplied the correct secret? If so, can I not use the auto-generated secrets?

(Itzik) #4

Can you post a call trace via pastebin from a fraudulent call?


The most common cause of this problem is insecure provisioning data e.g. if the attacker guesses the MAC address of the phone, he can pull the config (including secret), usually by TFTP or HTTP.

However, it’s also possible that you have a misconfiguration allowing him to make calls without knowing a secret, or he somehow gained access to the admin GUI or UCP.

(Alex Palenschat) #6

Here is the call trace:

I think I have it configured correctly in order to require authentication, just following the aforementioned document from the wiki. I don’t know how else to check that configuration.

I’m pretty sure that SIP is the only protocol allowed on the firewall from the internet (well, Letsencrypt put a rule in there I guess) and it is set up with responsive firewall.

(Lorne Gaetz) #7

Call trace alone is not useful. All you can see is that 3208 dialed outbound, not what IP was used to register. You need to look in the full log(s) to find successful registrations and what IPs they come from.

(Itzik) #8

Usually, when a call is answered, you can see the IP addresses where RTP is negotiated with. It does not seem like this call was answered, or OP removed that portion.

(Alex Palenschat) #9

I was able to find the IP address and I copied all references to it here:

But what configurations would allow a user to connect to an extension without the secret? Where do I start looking? I would assume the default is to require a password.


Use sngrep it will reduce your hundreds of lines of log to a three line synopsis, ultimately the hangup cause was 127 “Unspecified” so the call didn’t complete and there was no actual fraud just annoyance.

As ever just don’t use UDP/5060 and you won’t see that sh1t anymore

(David55) #11

Only if you specify one at the server end, and not always then.

Generally phones will not challenge for authentication when they are the server and won’t volunteer it when they are the client. If configured for use with a phone, Asterisk will challenge, but only if it is acting as server. This means that, if you configure a password on the phone, but not in Asterisk, nothing will fail.

(For a typical ITSP trunk, the ITSP will challenge, when acting as server, but Asterisk won’t challenge when it is the server (incoming call), because most ITSPs won’t know what to do if challenged.)


Unless you go off the reservation, every SIP transaction will be initially be sent a 401 and be required to retry with an 'Authorization " header that is accepted, that second REGISTER would need to include the username, secret hash, realm etc. to be accepted. Only then would the session be able to progress

(David55) #13

That’s not true on ITSP trunks (insecure=invite on chan_sip, and only outbound authentication on chan_pjsip).

It is also not true if there is no secret. Pending logs, I’m suggesting that the secret may have been overlooked in defining the extension to FreePBX.

(Alex Palenschat) #14

I looked at the http provisioning section of the firewall. It had Local and “Other” selected. Is that “Other” zone the issue perhaps? I’m not sure what it means in this context.

Also, if I change the udp port will that affect my sangoma connect clients?

(Alex Palenschat) #15

Sorry, didn’t see your post until I hit reply to dicko. What logs are pending?

Thanks for all the response btw.

(David55) #16

Given you have changed the port number, I’d want to check the full log output with “pjsip set logger on” during a call attempt from the legitimate extension, to make sure it gets challenged for authentication.


Although this is technically correct, very rarely is the problem that a providers is trying to make illicit outbound calls through an established ‘trunk’ everyone else SHOULD be getting the good old 401 first.

(Alex Palenschat) #18

I have not changed the port number, just considering it.

I did what you said and can see that the extension is getting a 401 not authorized but the call goes through.

[2021-07-13 11:25:10] VERBOSE[32053] res_pjsip_logger.c: <— Transmitting SIP response (589 bytes) to —>
SIP/2.0 401 Unauthorized

There is a ton of information in the log and I don’t know how to grep into pastebin what you want to see. The “supplying good information” only covers getting the call-id out.

A little out of my element, sorry.

(David55) #19

If the call gets 401, then goes through on the retry, the attacker has your password.

The call attempt has ended when 401 is sent, so it can’t go through without a retry.

(Alex Palenschat) #20

So I guess back to figuring out how they got the secret. As far as I know I am not exposing http provisioning to the internet. When I looked at that service on the firewall it had “local” and “other” selected. What does the “other” button represent? Is that possibly where I had a hole?

The only other rule that was for port 80 was the responsive firewall letsencrypt rule which I believe only opens the port when a certificate update is due to happen. Or is it always leaving the port open and I need to switch my http provisioning to a different port?