Asterisk Implicated In FBI Security Warning

The FBI’s Internet Crime Complaint Center has issues a warning with respect to the use of Asterisk to create vishing attacks. According to a post at Slashdot someone from PCWorld checked with Digium who was puzzled about the matter. Digium‘s own John Todd responds with a blog post this morning.

The FBI alert is extremely vague, making only a non-specific reference as follows:

The FBI has received information concerning a new technique used to conduct vishingi attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXii systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

It must be really challenging for the FBI to get their heads around how to deal with something like Asterisk. It’s a telecom & networking toolkit to build whatever you like. It’s a major enabling mechanism for anyone in the telecom space, and for whatever purpose.

Security is one of the next big issues in VoIP. It remains largely unaddressed in the residential / SOHO space. IMHO the question is not if we’ll address it, but more simply when. For those with an interest in the matter may I suggest reading at especially their excellent blog and mailing list. Also, the Bluebox Security Podcast by Dan York and Jonathan Zar.

Update: Here a link to the PCWorld article on the matter.

Update2: Digium’s Bill Miller offers a clarification that Digium was only contacted after the FBI warning was issued and the PC World article was already published.

So it appears that we have before us a classic example of brilliant government in action supported by a comparably skilled press. That Digium was the singular reference source that should have been contacted should have been patently obvious to everyone involved.