After seeing well too many movies about the US and after visiting the US for a few times, many people tend to disrespect the FBI in the USA. While I have much respect for most law enforcement agencies, wherever these are located in the world, I must admit, that the latest warning from the FBI regarding Asterisk borderlines pure hystria and complete misunderstanding of the actual issue.

On Dec 8th, the FBI had issued the following warning:

New Technique Utilizing Private Branch Exchange (PBX) Systems To Conduct Vishing Attacks

The FBI has received information concerning a new technique used to conduct vishingi attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXii systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

http://www.ic3.gov/media/2008/081205-2.aspx

Now, after a full weekend of frenzy trying to understand the cryptic warning the IC3 had issues, it was gathered that it is referring to an old time bug, related to Asterisk distributions prior to 1.4.18. Being familiar with the particular bug and the exploitation method – I can say this: They surely have no idea what they are talking about!

The exploitation of the bug requires several pre-requirements:

  • A certain IAX2 configuration has to be deployed
  • A certain version of Asterisk must be used
  • A certain form of dialplan has to be existing
  • You Asterisk server needs to be available on the Internet

Now, even when these 4 are met, the exploitation isn’t all that simple and that straight forward. So, in other words, if you are not utilizing any of the above, you can rest assured that your system is fine. In any case, any system is as secured as the dumbest user (in our case developer/sysamdin) who uses it.