Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

AstriCon roundup and vendors adding security features

Published on Oct 29, 2010 in , ,

So I’ve finally been to AstriCon and I noticed a great increased interest amongst the attendees with regards to security, fraud and “hacking”. The slides for my presentation titled “Just how vulnerable is your phone system” can be downloaded from this location.

So what are the changes and additions from the software developer’s side?

  1. Asterisk 1.8 has been released touting TLS support for SIP and SRTP support too, plus a framework to make auditing easier
  2. 3CX havereleased a major security update with features to make it easier to set proper passwords
  3. I just received an email from Brekeke highlighting their security pageon their wiki which was originally published on March 11, 2009

What accounts for these changes? From talking with the people at AstriCon I started understanding why the increased interest in security: organizations are really getting hurt with call fraud and this seems to be on the increase.

Plus the advise I heard again and again from developers for FreePBX-based systems was:
“Do not put your FreePBX / configuration available on the Internet, it is not designed for that!”

But if you do a simple scan for Asterisk boxes (using svmap.py for example), you’ll notice many systems out there that do not heed this advice. Apart from that, as Blake Cornell showed in his presentation, there are many attacks on FreePBX-based systems that can be abused without direct access to the HTTP configuration interface.


Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.