Voip Security Advisory

As a result of a recent increase in attempted network attacks and fraudulent activity, 2talk recommends customers conduct a thorough review and update of their security policies. Best practices are to either:

1. Have your PBX/Device behind a firewall or router doing NAT and do not 'port forward' ports to the PBX or place the IP PBX in a DMZ so it is exposed to the Internet and open to being hacked. The vast majority of customers will be okay as they place their devices usually behind a router and rely on NAT to get packets in/out of their network to 2talk, but a few people out there still insist on putting their PBX in a DMZ or set up port forwarding rules. Port forwarding should not be required for SIP or IAX2 registered devices.

2. If a customer is using 'SIP peering' to connect to 2talk (so they are not behind NAT) - then it is best to setup a firewall rule so that *only* 2talk's trunk IP addresses (202.180.76.164 for the old platform and 27.111.14.66 for the new 2talk+ platform) can talk to the customer device. This means the rest of the Internet cannot connect to SIP port 5060 for example and start a hacking attempt.

3. Ensure that your phone system or device does not allow 'Anonymous' calling from unauthorised clients. Often PBX software such as Asterisk is setup to allow anonymous calls through the option 'allowguest=yes'. Ensure that this is set to allowguest=no in the SIP General settings on an Asterisk based system. Other devices will have their own ways of controlling anonymous access to the system.

4. All passwords should be *strong* (8 characters, letters and numbers etc. and hard to guess) and it is advisable to make them different from extensions. This does not just apply to your 2talk passwords but also to the passwords of any extensions connecting to your PBX.

5. If you are selling or discarding computer equipment and VoIP hardware, make sure all sensitive data has been erased including settings, usernames and passwords.

6. Block outbound dialing from your voicemail system to prevent Dial Through Fraud (DTF). At a minimum you should have strong passwords on voicemail.

7. Use exception reporting to identify unusual traffic on your account (2talk live menu option)

8. Limit auto topup amounts on your account (2talk settings screen)

9. Block international calling on your account with a PIN code (2talk settings screen)


Failing to properly secure your systems or PBX can result in any of the following:

1. Toll fraud - utilising your systems or account details to make calls at your expense.

2. Obtain unauthorized access to your system resources, information, privileges and/or listening to your calls and voicemail (through fuzzing, sniffing, or brute force attacks).

3. Denial of service - disabling your voice communication using packet floods.