Former NSA Agent comments on ooma security

Ira Winkler, Former National Security Agency analyst and author of Spies Among Us says:

See, Ooma is actually less secure than a traditional landline. By using Ooma, your call would be going out over the landline of a complete stranger, making it theoretically subject to eavesdropping. I can see those with criminal intent agreeing to be an Ooma subscriber, so they can eavesdrop on calls being routed through their Ooma box. They could listen in on people giving out their personal account information, credit card numbers, and other sensitive details.

He cites a podcast interview from back in July where ooma CEO Andrew Frame proudly states that he thinks his system cannot be broken, and challenges hackers to "Bring it on!" (the quote is about 15 minutes into the the video). Winkler says:

It has been my personal opinion that the only people who promise perfect security are fools or liars. Frame can decide which one he is.

Personally, I don't think anyone cares, other than security geeks. Even if you told people their calls can be recorded, they would probably still use the system to get "free" calls. Another key point is:

If Ooma turns out to be a success, they will definitely attract the attention of the "hackers" that Frame challenges.

Indeed. If TiVo or iPhone never got popular, nobody would have hacked them. Until ooma is widely deployed, there won't be many hacks. But when we find them, you can be sure we will report them here first.

Becoming an altruistic peer

In the last post we present one case of an altruistic individual expanding the ooma P2P model to our friends and neighbors outside the US and anyone with SIP capability.

This post provides instructions for others to continue in those footsteps to also become an altruistic peer.

Refer to this diagram:

This shows the setup for an altruistic peer, enabling access to US PSTN numbers for SIP users, in the manner as here.

Steps:

1. Purchase PhoneGnome box. Use this link to get it for $79.99 with the necessary "PowerSuite" service included free (instead of $124.98 normal price). Or get a used one on Ebay. Or convert an old SPA-3000 free here


2. Connect the LINE port of the PhoneGnome box directly to any phone service you want (i.e. follow the standard setup of the device) and let it complete its one-time self-config to that number/line.


3. Now connect the LINE port of PhoneGnome box to the Phone port of the ooma hub as shown in the above diagram.


4. Sign in to My PhoneGnome and go to Features / MobileGnome / Edit. Under PIN Authentication choose "NOT Required". DO NOT click 'Enabled'. Just click 'Save'.


5. To avoid risk of International calls, click 'Activate' for the Intl Call Blocking feature on the Features page.


6. Set up a SIPbroker account here with sip address mg-number@sip.phonegnome.com where number is the PhoneGnome account phone number from step 2 above (with 1 in front)


7. Setup a SIPBroker alias


8. Publish your SIPbroker alias as a comment to this post or elsewhere so people know how to access it.

People can now call the SIPbroker alias from SIP and they will get a dial tone and can then place a call via the ooma hub to a US number dialing 1-areacode-number. People can also dial one of the SIPbroker PSTN numbers to do the same thing by dialing your alias and then getting a second dial tone and dialing the destination number.

This setup has little cost to the altruistic peer beyond the initial hardware since the ooma service is still available at the ooma scout via the "Instant Second Line" and nor does it add cost to other ooma users or the ooma network since users already pay for unlimited local calling for DT (distributed termination).

Obviously this same thing can also be done using Asterisk with an FXO card or other means. We show a solution using the PhoneGnome device because (1) it requires no special VoIP expertise and (2) it doesn't require the sharing node (altruistic peer) to run and manage a server 24x7. And in general the $80 box is cheaper than a PC plus FXO card anyway.

Hopefully by some of us US users providing free calls to our neighbors outside the US in this way, we will find some people outside the US will reciprocate and make their local phone service available in a similar manner for local calls to countries outside the US (say India for instance). They can do so using PhoneGnome similar to as shown above (since that box works outside the US) or using any means they prefer.

Thanks to reader baloneypony for the diagram and step-by-step instructions.

Easter Egg

From a reader:

sip:*0111195258@sipbroker.com

Should receive dial tone. Dial a US number as 1-areacode-number

Also reachable from outside the US at these numbers where once connected, dial *0111195258 to get second dial tone. Then dial 1-areacode-number

If abused will be taken down.

Perhaps others will follow suit and do something similar in the name of service to our global neighbors.

Ooma pranks, or "how to Punk Ashton Kutcher"

If we assume that ooma's "creative director" eats the company dog food and uses ooma, then a call made by the former TV star may eventually be directed through our ooma hub, as a result of the company's patent-pending "distributed termination." This feature can be exploited by attackers to perform various attacks, including:

• Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing


• Tracking phone calls placed by the user


• Preventing the phone from dialing

Plug the output of the Ooma hub that is supposed to connect to your landline into an ATA registered to your Asterisk server.

Assume that this ATA registers as "oomahub" to your server and inbound calls arrive at the context "ooma-in". In extensions.conf we may find something like this:

[ooma-in]
exten => _XXXXXXX.,1,Goto(ooma-prank,s,1)

[ooma-prank]
exten => s,1,SetVar(X=$[${EPOCH} % 10])
exten => s,2,Goto(ooma-prank,prank-${X},1)

; The call will be directed to prank-0 thru prank-9

; prank 0 - send Ashton to a phone sex line
exten => prank-0,1,Answer
exten => prank-0,2,Dial(SIP/18007232868@tf.voipmich.com)
exten => prank-0,3,Hangup

; prank 1 - play audio clip from Ashton's classic "My Boss's Daughter"
exten => prank-1,1,Answer
exten => prank-1,2,MP3Player(music/MyBossDaughter.mp3)
exten => prank-1,3,Hangup

; ... other pranks here

Of course you know that this information is provided purely for entertainment purposes and nobody should actually do this, right?

However, it does point out some of the risks associated with using ooma's service.

Disconnecting your phone line from the ooma hub

Ooma's promotional material states that White Rabbits and purchasers during the promotional period must have a landline which they allow to be used by Ooma for other subscribers' calls.

However, it is not clear what technically prevents a user from saying that they have a landline but simply disconnecting it. If the Hub contains some sort of mechanism to detect the absence of a landline, it would likely be a simple matter of defeating it. This could be done simply by connecting the depicted circuit across the phone jack on the Hub (thus allowing the subscriber's phone line to directly connected to the phone for their private use). Depending on the setting of the switch, this would appear to the Hub as a phone line which doesn't return dial tone, a line that is always busy, or a disconnected line.

Summary of ooma issues from around the net

Security and privacy:

• Rich Tehrani


• Yusuf Motiwala


• Daily Payload


• Dameon (PhoneBoy)


• Markus Göbel


• Andy Abramson


• Editors note: this list is getting far too long to maintain. Try searching for "ooma concerns" "ooma dangerous" etc.

Billing and Phone Company Hassles:

• Andy Abramson and the ooma EULA


• No Rooma For Ooma - a "white rabbit" yanks the ooma cord


• VoIPPlanet - setting up ooma is as much of a pain as moving


• NewsFactor Network - ooma adds roughly $10 a month to the local phone bill


• BusinessWeek - The ooma Headache "Glad my test drive was free. I wouldn't fork over $399"


• Bruce Fryer - ooma's math doesn't compute


• Cnet - it was a pain to install - our long-distance fees are paid mostly to cell phone companies, so I'm not eager to pay $400 up front to get rid of long land-line distance bills which I don't have

Technical and Sound Quality:

• BusinessWeek - the most annoying part of using ooma is the ooma dialtone, heard by both callers AND call recipients


• atmasphere.net - audible buzzing sound on calls, caller ID doesn't work


• Aswath Rao - technical reasons why ooma won't work

Reviews

The following are some of the web sites commenting on Ooma which appear to be written by people who understand telephony and the issues that Ooma faces. While there are numerous web sites making positive statements about Ooma, they appear to be doing so solely on unfounded expectations and lack of actual information about how Ooma works. The most believable positive things that anyone has said are about how "The hardware is elegant." (I apologize if some of these links no longer work.)

• TMCnet - "Ooma Goes Booma?" July 19
  
• O'Reilly - "Ooma - Huh?" July 19
  
• ValleyWag - "Why Ooma is dooma'd" July 19
  
• Unbound Spiral - "Ooma Will Blow $27 Million" July 19
  
• Saunder's Log - "Ooma? Om my ..." July 19
  
• Zoli's Blog - "I was an Ooma White Rabbit for Ten Minutes" July 19
  
• The PhoneBoy Blog - "Why Ooma is Dangerous" July 19
  
• Broadband Reports - "Ooma Promises 'Free' Voice (Assuming you think $399 + landline is free, and assuming it works" July 19
  
• IP Democracy - "Oh Boy, Just What We Need, Another VoIP Provider" July 19
  
• Aswath Weblog - "Ooma? No Ma" July 19
  
• Realtime Community - "Oompa Loompa Oooma" July 19
  
• Tech Republic - "New VoIP company OOMA offers free calling ... forever?" July 19
  
• Markus Goebel's Tech News - "Why Ooma is a security risk" July 20
  
• TECHdodo - "Ooma does what now?" July 20
  
• ITWire - "Ooma an exercise in futility" July 20
  
• Broadband Reports - "Ooma Idea Not so Original - and four times more expensive than alternative" July 20
  
• VoIP Watch - "The ooma EULA Has Me Very, Very, Very Concerned and You Should Be Too" July 28
  
• Tech Untangled - "Concerns about Ooma" July 22
  
• Heavy Reading - "Ooma Takes Aim with VoIP Device" July 23
  
• Disruptive Telephony - "Ooma, ooma, ooma ... a collection of links about the buzz" July 25
  
• Saunderslog - "Andy says 'no thanks' to Ooma" July 29
  
• VoIP News - "The Mixed Reaction to Ooma's Internet Calling Box" July 31
  
• Yusif Motiwala - "Ooma Concerns - More Insights" August 2
  
• Business Week - "ooma: First Thoughts" August 6
  
• Fierce VoIP - "ooma's no free ride" August 13
  
• Techcraver - "Trying to figure out Ooma" August 14
  
• VoIPPlanet - "Ooma: Oh My!" August 15
  
• Business Week - "The ooma Headache" August 16
  
• VoIPPlanet - "Ooma: My White Rabbit Days" August 24
  

The list of such sites grows every day. I provide the above as a small sample of concerns expressed by people from many walks of life to ensure potential users can make an informed decision before using ooma.

Eavesdropping on ooma calls

When a call is routed through someone's Hub and onto their phone line, it is a rather simple matter for them to eavesdrop on the call. Ooma continually claims that they have "proprietary" technology to detect and/or prevent this, but that appears impossible, since a circuit, such as that shown at right, can easily be constructed which is undetectable.

Ooma claims to have a "proprietary" solution to this problem, but all techncial experts suggest that the most the Hub could do is to detect the drop in voltage across the line if another phone directly connected to the line goes off hook, and then break the connection in the Hub. (This is exactly what an answering machine does, so it is hardly new or "proprietary".)

If one wants to do eavesdropping on the calls going through their own phone line (maybe to make sure that no one is using it for illegal purposes for which the subscriber of the line will be held responsible) all they have to do is connect a simple circuit which presents a high DC-impedance across the line and the Hub can not possibly detect its presence. The circuit is shown, where the values of the capacitors and matching transformer depend on the nature of the input to the amplifier. Use at your own risk.

Or try the inductive tap circuit described at Unterzuber.

A more complicated (but perhaps a lot more interesting) way to capture calls made by the ooma hub on behalf of other omma subscribers would be to connect the ooma hub to an Asterisk box with an FXO/FXS card, or perhaps a Linksys/Sipura 3102 or other ATA with FXO and FXS ports (or a Sipura plus a Trixbox). The Sipura/Asterisk box could pass the call through while recording it - this would be totally transparent to the Ooma box. I will try to provide a full how-to for this in a future post.

As an ooma user, to prevent others eavesdropping on your calls in this manner, prefix all calls made via the ooma network with *82 - this also has the added benefit of presenting Calling Line ID to the callee, so that your friends who screen their calls will answer.

The right way to use Ooma

If, after careful thought about the problems addressed at various sites around the net, you still want to use Ooma service for your long distance service, then I recommend that you do it as follows, which gets around most of the problems:

Be advised: If you connect the Ooma hub to your PSTN (POTS/landline) service, they change your phone service to add Call Forwarding on Busy and remove other features. All good hackers will opt to NOT provide Ooma this information and to NOT connect their landline to the Ooma hub. If Ooma already changed your service, call your phone company and change it back to the way you want it. (You should also tell your phone company not to accept further changes from a third party.)

Suggested hacks:

• Get the version of Ooma service without your landline connected. This option is apparently not available to "white rabbits" so alternatively, disconnect your landline from the Ooma hub.


• Use a separate "ooma Phone" connected to the Ooma hub. Use this phone for domestic long distance calls. Optionally, use a two-line phone to have access to your real PSTN line at the same time.


• Do not use a Scout, but rather connect all "ooma phones" to the Hub. Use these phones to make and receive Ooma calls (via the Internet).


• Whenever placing a call over the Ooma network (using an "ooma phone" above), begin the call with *82 to force the call through a "secure" Ooma Gateway and to include Calling Line ID so that your friends who screen their calls will answer.

This arrangement will give the user the advantage of being able to use Ooma to make long-distance calls, while using their own line for local calls whenever they want.

Dialing *82 for all calls placed over the ooma network also has the side benefit of added security because it prevents your call from being sent via someone else's ooma hub and prohibits any such user from eavesdropping on your calls.

Just a matter of time

It is reported that this box runs linux. Someone is going crack root on it, eventually, particularly among the 1000 or so boxes they have given away free to "white rabbits". It happened with Tivo. It happened with Linksys routers. It happend with iPhone. It will happen with the omma hub if there is enough interest in it.

What might somebody do with this device in terms of hacks? Here are a few ideas:

• A very expensive trixbox


• Run Asterisk on it


• Intercept ooma calls for fun and profit?

I'm sure people will come up with many other ideas. Of course all of this is likely prohibited by the ooma terms of use, but I suspect so is Selling "white rabbit" tokens on Ebay - so when has that ever stopped hackers?