[SECURITY] disa CID authentication only sufficient?

Asterisk Asterisk Support
1

Hi

Currently I am using the Disa function with CID authentication and numeric passcode:

exten => xxxx/yyyy,1,Answer
exten => xxxx/yyyy,n,Authenticate(zzzz)
exten => xxxx/yyyy,n,DISA(no-password,exten)

with xxx being the DID in number, yyyy the CID of the number allowed calling in and zzz a 4 digit passcode.

I was wondering about removing the numeric passcode for automation purposes so there will only be a one way authentication on the CID.

Can someone elaborate if this, from a security perspective is a good idea?

From the hackers point of view you’d have to:

-get my DID number used to call in
-get the CID allowed to make calls
-spoof this number
-start abusing

which sounds pretty hard to me. I also use a prepaid provider without automatic topups so in the case of an attack there would only be 10$ of credit lost.

2

-get my DID number used to call in
Depending your business, if you sale accounts for sure this number is easy to have
-get the CID allowed to make calls
Yes this is the more difficult
-spoof this number
That’s very easy

Hackers, most of the time send many simultaneous call on a Premium rate number
if your account have no limit on channels it could be 100 simultaneous call and on last hangup your bill is $1000
I don’t kow any carrier using realtime billing system the credit is readed when call start and
call cut when credit/destination cost is over
if you send 100 simultaneous cals the ref credit is $10 for all.

Be sure to alow only one call by account

3

Hi

This used to be the case but was too easily blocked. what we are now seeing attempted in the real world is more complex attackers and slow leakages of credit so that they are not picked up by the user or carrier.

Ian

4

This is usualy not a pro hacker way of life but
there is some tips
-1 do not allow any call without registration, alway log registration IP, ipatable block all Palestinian’s IP,use IP auth when customer have fixed IP
-2 seting up script to detect unusual destination for a customer and send alert
-3 make a blacklist or not allow premium rate numbers (I have myself a special context to welcome premium rate test numbers)
-4 limit channels depending the customer

5

I’m not running any business, this is only for private usage (2 users). Therefore, my DID number should remain private.

The SIP provider I’m using (a Betamax clone) only supports 1 channel per account, so the 100 simultaneous call abuse won’t be possible.

Another security measurement I’ve taken is forwarding to an extension which only allows local numbers using the aforementioned SIP account:

[exten]
exten => _www[2-9]XXXXXX,1,Dial(SIP/sipprovider/vvvv${EXTEN:1})

Also, I am logging everything to a mysql database and have set up a script to monitor everything and alert me when unusual behavior is occurring.

Are there any other security issues in my setup I should be aware of?

Also, all of the above could be omitted if I could automate entering a pin after dialing the access number and the destination.
I know this is possible with some apps, but they only seem to run on smartphones whilst the 2 users only have old cellphones.
Or is there some sort of hack to this?

Thanks for your replies, appreciated :smiley:

6

You mean this tip
s60tips.com/2007/08/30/using … -pin-code/

I have tested it before with old Nokia and it work not only on smartphone
it exist as well same tip for other brands but with different code
for call from landline I use auto dialer with pre programed pin code

About Betamax clone I have tested many able to send many more than one channel.