SIP Trunk Authentication, who needs it?

Firstly, given some basic information on the trunk provider including details of the phone numbers, it is possible for any Internet connected SIP device to make calls. These calls would be billed to the customer. I verified this by making an international call to my own cell phone.

Secondly, because the trunk provider is also failing to authenticate registrations, it is easy to for an attacker to register his own PBX which will then receive all calls made to the registered phone. I ran my own tests, and was able to dial the North American number and confirm that the call was routed to one of my test systems in London. This is call hijacking made easy!

The most worrying aspect of this is that because the problem was caused by issues with configuring equipment at the trunk provider, it is very difficult for the end-user to detect the problem; at least until the first phone bill arrives.

Sadly, my customer was not alone. Checking a block of 10,000 consecutive phone numbers with the same area code, I was able to find other numbers with similar problems. The trunk provider has been informed of these issues.

The lesson is clear; any SIP trunk user should carefully check the security of their own systems but also check that the provider has done their job.

The alternative is to wait for the phone bill, but you be in for a nasty surprise. One Australian company recently received a £57,000 bill.