Over the weekend and continuing through today, Monday, August 3rd, we have had a handful of customers notifying us of calls to individual Polycom phones on their network originating from Extension 1101. These calls are being placed by phantom dialers on the Internet. They are sending out INVITE packets to IP addresses, hoping to find an exposed PBX or phone they can exploit. This is defined as Spam over Internet Telephony (SPIT).
These calls do not go through the OnSIP network. They originate on the Internet and connect to your phones directly. As a result, unfortunately, we have no way to completely stop these calls with our service. It must be stopped by the phones, themselves, and we are currently working on a solution. In this blog, we want to shed some light on the situation and share information on how to ensure your VoIP security, which is of the utmost importance.
Why Polycom Phones, And How Can We Stop It?
By factory default, Polycom phones will accept any SIP call and present that call to the user (i.e. the phone rings). Ideally, the phone would respond only to SIP INVITE requests made to the specific SIP addresses for which the phone is registered. We are currently testing Polycom configurations in attempt to block calls made to a phone via its IP address. We will keep affected customers in the loop while we work on this.
We've made some steps to prevent SPIT calls to Polycom phones to the best of our ability via our service. About a year ago, we changed the external port the phones use by default in an attempt to limit these types of calls. This seems to have slowed down the attacks, but not stop them. Most importantly, we are concerned with preventing security breaches to your phones.
Ensuring Your VoIP Security
It's important to know that annoying you with endless phone calls is not their ultimate goal. Their goal is to identify phones exposed to the Internet and then attack those phones to discover their SIP credentials (username and password). They would then use your credentials to make phone calls on your dime. That, we can prevent together. Here are the two measures:
Around a year ago, we disabled the web interface for phones using our boot server. While we do give you the ability to re-enable the web interface for the phones, we strongly recommend that you keep the phone's web interface disabled.
As always, we recommend that all OnSIP phones are on the OnSIP boot server and all phones are behind a NAT. To review the current registrations, click on a user's name in the Admin Portal; then click 'show details' next to the registration that shows in green in the lower left corner. If the phones are properly protected behind a NAT, it is much harder for fraudsters to reach the phone with these exploratory packets.
If you have any additional questions, please feel free to contact us.