Mailinglist Archive: opensuse (770 mails)

< Previous Next >
Re: [opensuse] connecting my telephone to the internet
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Sat, 25 Aug 2012 16:06:41 +0200
  • Message-id: <k1am5i$nae$1@saturn.local.net>
Carlos E. R. wrote:

On 2012-08-25 09:12, Per Jessen wrote:

Maybe we're are mixing things up - I don't quite see the security
risk in receiving a VoIP
call from someone@some.where on the internet? The caller will not be
registering on my
Asterisk server, it's only an inbound call that is routed to whoever
the caller wants. In my case, my phone on my desk (a Linksys SPA) is
registered with the Asterisk server as extension #123, and calls to
sip://per@xxxxxxxxx are routed to that. That's all.

I don't have field experience with asterisk, only some training.
Reading the documentation I understood it was a risk, but I don't
recall exactly why. On a bussiness you might get a call from a
longtime and good client, dispatch a cargo to be charged 30 days
later, and then learn it was a fired employee or someone from a rival
company, faking the ID on the phone. Yes, it is social engineering,
but trusting the number you see in your terminal is part of the issue.

But that goes for POTS too, it isn't specific to Asterisk or VOIP.

I don't think anyone has ever called me using purely VoIP, but running
an Asterisk server that refuses inbound SIP calls seems like having a
POTS PBX that doesn't accept external calls.

One security risk with Asterisk is perhaps external SIP-clients. We have
a number of people who primarily work from home. They're all have
office phones at home, connected to the Asterisk box over VoIP over the
internet.

Two risks -

1) the SIP sign-on (userid+password) is, AFAIK, not encrypted, so it
could be intercepted, giving someone access to use our internal system.
2) brute force attack trying to guess the password. It is easily
countered, but we had a case last year where someone managed to guess a
SIP userid+password. It meant a slightly higher phone-bill that
month :-)


--
Per Jessen, Zürich (24.9°C)

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >