FBI Security Warnings and VoIP

Our hero Benjamin Franklin

Recently, the FBI issued a security warning against Asterisk stating that an Asterisk vulnerability can be exploited for vishing purposes. And that’s pretty much the entirety of the security warning. Noticeably lacking from this warning are any details regarding methods, software version, or prevention. The warning does mention that Asterisk users should upgrade to the latest version of the software and that the vulnerability allows cyber criminals to use an Asterisk system with an autodialer to make thousands of vishing phone calls within an hour.

We work with Asterisk, and can tell you that Digium (the makers of Asterisk) always recommends that you upgrade software to the latest version. Also, it seems that the FBI did not notify Digium of this flaw and provided them the same cryptic public release. John Todd (of Digium) has stated he believes the vulnerability mentioned by the FBI deals with a bug previously fixed by Digium in March of 2008. Unlike the FBI, Digium was not cryptic with their information and publicly detailed the bug and it’s fix.

Which brings us to this week’s edition of “We’re here from the government and we’re here to help.”

Don’t get us wrong, we believe the government should help it’s citizens and provide warnings about security issues. But when these warnings are made, they should be clear, detailed, and professionally handled. At minimum, the FBI should have documented the alert to Digium, so that Digium could provide a complete and authoritative response. If the FBI had uncovered a method so that a Ford could be unlocked remotely (and it was an issue with the design of the vehicle), we’d expect the FBI to pick up the phone and go “Hey Ford, lookie at what we done did.” Ford would then issue a recall, and problem solved. In any case, the manufacturer (or developer) can certainly (if nothing else) verify the veracity of the claim and immediately implement a fix.

But then again, the FBI and technology don’t exactly have a great track record, do they? In 2000, the FBI attempted to upgrade the computer system at a cost of $380 million dollars. By 2004, the upgrade had not been completed and had already cost more than $600 million. And to top it off, CBS news advised their new system would be useless in fighting terrorism.

Also in 2004, the FBI briefed Director Robert Mueller about a notorious evil millionaire (Don Emilio Fulci) who had formed a terrorist group to plan chemical attacks against London and Washington, DC. It took a White House staffer to notify the FBI that Don Emilio Fulci was a fictional character from the video game Headhunter.

Remember the Madrid bombings? A week earlier, the Spanish authorities contacted the FBI for assistance with detecting a fingerprint. The FBI arrested an Oregon lawyer based on a digital match and were so certain of their findings, that they never requested the original fingerprint. Spanish Investigators continued their investigation and matched the fingerprint to the correct individual. The FBI stated it followed industry guidelines, but also dismissed requests from Spain to double check the findings.

The government of the United States maintains an incredible array of power. And the FBI, as enforcement arm of the United States should act in a manner that not only provides confidence, but also serves as a role model to others. After all, even Spider-man knows that with Great Power comes Great Responsibility.

So, bottom line… update your Asterisk version (if you haven’t already). And for the current time, we’re going to rate Digium higher than the FBI when heading security tech concerns.

Additional Readings:

• Graves on SOHO VoIP — Always smart to read this blog
• FEMA Hacked Old School
• Digium responds with SIP Security and Asterisk — well written and discusses the FBI report