Feds issue confusing warning about Asterisk

The FBI has left users of Asterisk open source IP PBX products guessing whether the version they are using is vulnerable to a mysterious "new technique" that can be exploited by vishers - people who use VoIP to spoof caller ID numbers so victims will believe they are talking to legitimate businesses and give up valuable personal information.

The bureau's Internet Crimes Complaint Center (IC3) has issued a warning that says versions of Asterisk software are vulnerable, but doesn't say which ones. It recommends upgrading to a version with the vulnerability fixed, but doesn't specify the vulnerability and which versions are safe.

The IC3 intelligence note also doesn't say where it got its information about the vulnerability and exploit, and it doesn't describe what is new about the vishing technique it warms against.

An FBI spokesman acknowledged the shortcomings in the warning and said he would find out more.

In response, the director of Asterisk's open source community says that Digium, the business that sells a commercial version and support for Asterisk, is confused by the warning.

The IC3 note "has left us guessing as to what the exact issue is that they reference and how Asterisk is involved", John Todd writes in his blog on the Digium site.

The IC3 warning states that hackers were able to use open source PBX software Asterisk to carry out vishing attacks by exploiting a security vulnerability in Asterisk software. The warning does not specify what vulnerability they are talking about, who exploited the vulnerability, or where the information about the exploit came from.

The IC3 intelligence note states it "has received information concerning a new technique used to conduct vishing attacks" that take advantage of the vulnerability. The warning doesn't describe how the vishing technique works.

The warning doesn't say which versions of Asterisk are free of the vulnerability. In part, the note says, "early versions of the Asterisk software are known to have a vulnerability", without specifying the vulnerability.

"To prevent further loss of consumers' [personally identifiable information] and to reduce the spread of this new technique, it is imperative businesses, using Asterisk, upgrade their software to a version that has had the vulnerability fixed." The warning doesn't say what version that is.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags digiumasteriskfbi

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?