They say the S in IOT stands for security. Let that sink in….
As developers/hackers/makers or whatever we may call ourselves we need to put our selves in the shoes of the admin/end user. Yes I am lumping in admins and end users. The advancement of FreePBX, Asterisk, FreeSwitch and open source technologies has been a double edge sword. On one hand it has lowered the barrier for entry to many folks. It has given a lot of us job opportunities that we would otherwise have never had. On the other hand it has made it a lot easier for the average IT person to simply download an ISO and have a fully working PBX under an hour. While this is great the people setting up such systems don’t always know much about security. They don’t realize that there are attackers just waiting for an easy system to compromise. We as creators and makers need to try to think for the person that does not know much and educate them. It starts with:
1) admin/admin SHOULD NEVER be the default for a device. In fact devices should always ship with a unique password. California recently passed a law that requires IOT devices to have strong unique passwords. While I am personally against government telling companies how to operate in this case I am very much for it. Stop being lazy!
2) Don’t allow the user to use simple passwords. If your creating a soft switch/PBX don’t allow the user to use username 100 password 100. At the very least by default ship it with a config file that does not allow insecure passwords. The same goes for phones. If a user tries to put in a easy combination at the very least warn them that it’s a bad idea.
3) For IOT devices by default disable the GUI. Shout out to Panasonic for doing this. Many times vulnerabilities are found interfaces and the attackers know this. If a GUI is disabled by default it’s one less way for the attackers to get in. Shout out to Panasonic for shipping their devices this way by default.
4) DON’T ALLOW PASSWORDS TO BE DOWNLOADED IN PLAIN TEXT! In the process of writing this blog post a client was compromised. The PBX appliance was shipped with a default username and password. The attacker simply logged in and downloaded all the credentials for the extensions on the system. Passwords should never be served in plain text even over https!
5) If you are going to offer provisioning at the very least force the end devices to use mutual TLS where they support them. If the device supports encrypting the configuration files do that too. My take on security is a whack a mole approach. You need to block as much as you can wherever you can not relying on any one method.
6) iptables and fail2ban are opensource. Ship with it by default. It may be harder for the users in the beginning but they will be thankful over all.
7) Have a bounty program. Give people an incentive to report vulnerabilities in place of them selling them on the open market. You will retain customers long term. If you don’t eventually they will go elsewhere. My customer that was compromised this morning is planning on replacing 15 of his current PBX’s because of the issues he has had (even though part of it is a ID10T error).
That’s it for now. As new scenarios come up I will try to add to this list. For now remember the S in IOT stands for Security.