Asterisk: A VoIP Hacker's Best Friend

Possibly the most disturbing news out of the Black Hat security conference last week was how Asterisk, the open source PBX, is being increasingly used by hackers in a wide variety of hard-to-stop VoIP hacks. Everyone, from home users to corporate networks, could become a target. Talks at the show explained just how easily an Asterisk-based PBX can be used to launch attacks, notably "vishing" attacks, in which hackers use VoIP calls instead of phony Web links to steal personal and financial information.

Asterisk has become the hacker's favored tool because it's free, easy to use, and works with cheap, off-the-shelf hardware. Install Asterisk on an inexpensive PC, do a little tweaking, and you've got a full-blown PBX, something that previously would have been extremely expensive and time-consuming to do.

A vishing attack is simple to launch using Asterisk. War-dial using an Asterisk-based PBX, and send a recorded message to thousands of people, telling them their credit card number has been stolen, and that they need to call a phone number to solve the problem.

The number, of course, is the Asterisk-based PBX set up by the hacker. An automated message tells them to enter their credit card number and other personal information, for verification purposes. The PBX records the number and information, and the hacker now has a credit card to use.

Other hacks can be launched from Asterisk as well. There's the "man-in-the-middle" attack, in which a PBX-initiated call lures someone into calling a bank, credit card company, or other financial institution. The PBX answers, and forwards the caller to the real customer service number --- and then listens in and records the entire call. Again, the hacker comes away with personal and financial information he can use.The upshot? Just as you shouldn't trust any unsolicited email, you also shouldn't trust any unsolicited phone calls. Asterisk-based vishing and similar attacks make fraud too easy these days.