Over the weekend FreePBX and PBXact users were warned of a security breach that spilled SIP credentials, potentially opening the door for fraudsters to make phone calls at the expense of small businesses that rely on the technology.
Sangoma, the Canadian firm behind the tech, warned in an updated customer advisory that around a month ago users of its SIP trunking service, SIPStation, were targeted by a hacker who gained "access to some users' randomly generated SIP credentials". These credentials were reset and reissued as soon as the incident was discovered.
The firm, which has already updated its SIPStation platform and tightened up access restrictions, decided it also needs to notify its FreePBX and PBXact users as a precaution after discovering that a small percentage of its small office telephony users may have been exposed to toll fraud.
About a month ago we had one of our trunking servers attacked, resulting in an illegal hacker getting access to some users' randomly generated SIP credentials. At the time of that incident, we promptly communicated via email to all of our SIPStation customers about the issue, and worked with them to obtain new SIP credentials. Our investigation into that attack resulted in a suite of new improvements to our platform as outlined in our SIPStation wiki, more specifically the section on notifications and access restrictions.
Through our investigation we were able to track where in our infrastructure the hacker obtained access. Although we have found no trace or evidence of them accessing our customer data, we have been notified of 14 systems that have been affected out of thousands of deployed systems. Based on this we have determined that it's theoretically possible that these unlawful hackers could have gained access to some PBX data and left no trace. Given this possibility we are sending this update to our broader group of PBX users beyond just our SIPStation subscribers.
Sangoma uses an unaffected third party to handle customer payments, meaning it can assure customers that their payment details are still safe.
Frederic Dickey, VP of marketing and product management, confirmed that last weekend's breach notice advisory was genuine. "A few clients out of hundreds of thousands, report[ed] to us that their PBX had been hacked, and Sangoma thus decided to be proactive with our customers," he told El Reg.
SIPStation provides North American SMEs and enterprises with a telephony services using a standard internet connection.
Dickey explained the potential impact of the hack against the service: "If a malicious party were to gain access to a customer's SIP credentials, that party could be able to make calls using the customer's account (sometimes referred to as toll fraud). To protect our customers, Sangoma notified our users promptly, worked with them to reset their SIP credentials (rendering any stolen SIP credentials invalid), made further changes to strengthen our security, and even refunded any SIPStation toll charges that occurred at the time (whether due to this incident or not, just to be safe)."
To further strengthen security for its PBX customers, Sangoma will no longer store SSH and Web GUI credentials for PBX systems in its portal. "This was previously available as a result of our customers asking for it, so that Sangoma could offer easier and more expedient responses to your requests for technical support, but the security implication to you is no longer worth the potential risk, in our judgment," Sangoma said in its advisory.