Digium Defends Asterisk Against Fed Warning: "Tempest in a Teapot"
December 09, 2008
TMC group publisher and editor-in-chief Rich Tehrani (News - Alert) has a recent entry about the Feds “Raining on Digium’s Parade” by coming out with a statement about how Asterisk (News - Alert)-based systems may be more susceptible to certain attacks, like vishing, spoofing, etc… via VoIP.
The FBI issued the warning through the Internet Crime Complaint Center (IC3).
According to their Web site, the Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).
IC3's mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, local and international level, IC3 provides a central referral mechanism for complaints involving Internet related crimes.
According to John Todd, Digium’s (News - Alert) Asterisk Community director, the warning was issued prior to anybody checking with Digium, the creators of Asterisk.
Furthermore, the warning referred to a bug (AST-2008-03) that was discovered back in March of this year.
As Todd writes in a blog entry titled SIP Security and Asterisk:
That bug allowed in some cases unauthorized callers to make calls through an unprotected “context” in Asterisk. Due to the nature of the bug there was fairly limited exposure - it would have required a fairly unusual set of configurations to permit fraud, and there was both a simple config file change that would provide protection, as well as an actual patch to the code which we have every reason to believe has been widely implemented by the very proactive Open-Source community using Asterisk in production environments. The bug didn’t allow arbitrary setting of caller ID, and would only work in a limited set of circumstances that personally I think would be unusual, though possible.
Early on, Todd had a sense that this might just be a misunderstanding:
Sorry for the fuss, and I suspect this is just a tempest in a teapot. Use good passwords, keep your packet filters up, and I’ll update things here as we hear more.
Of course, the original posting of the warning on a Friday afternoon, with no attempt to contact Digium understandably ruffled some feathers. And the folks at Digium are right to be miffed that no one so much as picked up a phone. Still they seem to be taking things in stride.
We understand that the intent of the original posting was in good faith, but apparently some details got lost on the way which made this into a press-worthy incident when it was merely a re-iteration of a known issue. We’re hoping that this type of problem isn’t repeated in the future, and we look forward to working more closely with any agency that has Asterisk-related questions or security concerns.
Greg Galitzine is editorial director for TMC’s (News - Alert) IP Communications suite of products, including TMCnet.com. To read more of Greg’s articles, please visit his columnist page. He also blogs for TMCnet here.
Edited by Greg Galitzine
Article comments powered by