The FBI has left users of Asterisk open source IP PBX products guessing whether the version they are using is vulnerable to a mysterious "new technique" that can be exploited by vishers - people who use VoIP to spoof caller ID numbers so victims will believe they are talking to legitimate businesses and give up valuable personal information.
The bureau's Internet Crimes Complaint Center (IC3) has issued a warning that says versions of Asterisk software are vulnerable, but doesn't say which ones. It recommends upgrading to a version with the vulnerability fixed, but doesn't specify the vulnerability and which versions are safe.
The IC3 intelligence note also doesn't say where it got its information about the vulnerability and exploit, and it doesn't describe what is new about the vishing technique it warms against.
An FBI spokesman acknowledged the shortcomings in the warning and said he would find out more.
In response, the director of Asterisk's open source community says that Digium, the business that sells a commercial version and support for Asterisk, is confused by the warning.
The IC3 note "has left us guessing as to what the exact issue is that they reference and how Asterisk is involved", John Todd writes in his blog on the Digium site.
The IC3 warning states that hackers were able to use open source PBX software Asterisk to carry out vishing attacks by exploiting a security vulnerability in Asterisk software. The warning does not specify what vulnerability they are talking about, who exploited the vulnerability, or where the information about the exploit came from.
The IC3 intelligence note states it "has received information concerning a new technique used to conduct vishing attacks" that take advantage of the vulnerability. The warning doesn't describe how the vishing technique works.
The warning doesn't say which versions of Asterisk are free of the vulnerability. In part, the note says, "early versions of the Asterisk software are known to have a vulnerability", without specifying the vulnerability.
"To prevent further loss of consumers' [personally identifiable information] and to reduce the spread of this new technique, it is imperative businesses, using Asterisk, upgrade their software to a version that has had the vulnerability fixed." The warning doesn't say what version that is.