Feds issue confusing warning about Asterisk

The FBI has left users of Asterisk open source IP PBX products guessing whether the version they are using is vulnerable to a mysterious "new technique" that can be exploited by vishers - people who use VoIP to spoof caller ID numbers so victims will believe they are talking to legitimate businesses and give up valuable personal information.

The bureau's Internet Crimes Complaint Center (IC3) has issued a warning that says versions of Asterisk software are vulnerable, but doesn't say which ones. It recommends upgrading to a version with the vulnerability fixed, but doesn't specify the vulnerability and which versions are safe.

The IC3 intelligence note also doesn't say where it got its information about the vulnerability and exploit, and it doesn't describe what is new about the vishing technique it warms against.

An FBI spokesman acknowledged the shortcomings in the warning and said he would find out more.

In response, the director of Asterisk's open source community says that Digium, the business that sells a commercial version and support for Asterisk, is confused by the warning.

The IC3 note "has left us guessing as to what the exact issue is that they reference and how Asterisk is involved", John Todd writes in his blog on the Digium site.

The IC3 warning states that hackers were able to use open source PBX software Asterisk to carry out vishing attacks by exploiting a security vulnerability in Asterisk software. The warning does not specify what vulnerability they are talking about, who exploited the vulnerability, or where the information about the exploit came from.

The IC3 intelligence note states it "has received information concerning a new technique used to conduct vishing attacks" that take advantage of the vulnerability. The warning doesn't describe how the vishing technique works.

The warning doesn't say which versions of Asterisk are free of the vulnerability. In part, the note says, "early versions of the Asterisk software are known to have a vulnerability", without specifying the vulnerability.

"To prevent further loss of consumers' [personally identifiable information] and to reduce the spread of this new technique, it is imperative businesses, using Asterisk, upgrade their software to a version that has had the vulnerability fixed." The warning doesn't say what version that is.

Tags digiumfbiasterisk

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?