VOIPO database exposed millions of call and SMS logs, system data

Updated: The database was used for development purposes but the data on offer to the public was valid.
Written by Charlie Osborne, Contributing Writer

A publicly available database belonging to VOIPO which was not properly secured has exposed everything from call logs to internal system credentials to the public.

This month, Director of Trust & Safety at Cloudflare Justin Paine, who is also the creator of the Rainbow Tabl.es security blog, said that an improperly secured ElasticSearch database belonging to the Californian voice over IP services provider was found via the Shodan search engine, which can be used to find Internet-connected devices and systems online.

It took only a quick investigation to find a vast treasure trove of data. Paine not only uncovered VOIP call logs, but SMS/MMS message records, and plaintext internal system credentials.

In total, 6.7 million documents contained call logs, including partial original numbers, partial destination numbers, timestamps, and call duration details.

The database also contained six million SMS and MMS logs going back to 2015, including both timestamps and the content of messages.

Approximately two million log documents referenced hostnames, plaintext usernames and passwords, and API keys for internal systems. An index file containing this information was exposed since June 2018.

The index also listed conferencing devices used for VOIP sessions, detailing device IP addresses, MAC addresses, timestamps, and useragent values for devices.

Thankfully, the VOIP call data was at least partially scrubbed before being loaded into the database and so using this information for malicious purposes would be difficult. The researcher did not see any two-factor authentication (2FA) values logged with the SMS/MMS data, but it is not outside the realms of possibility for this data to have been leaked.

See also: Police can't force you to unlock your phone by iris, face or finger

"If an attacker had access to this data as part of a targeted attack on an individual or organization they knew to be using this service they would have been able to observe in real time the SMS being sent that contained the 2FA code," Paine said. "Hypothetically this could have then allowed the attacker to bypass 2FA on the user's account."

The exposure of internal information, however, is more serious. This could have resulted in a complete compromise of any system which used the leaked credentials, giving attackers access to sensitive company information.

TechRepublic: Smart building security flaws leave schools, hospitals at risk

The open ElasticSearch database was discovered on 8 January and was reported to the CEO of VOIPO on the same day. The company moved quickly to secure the database and took the system offline within only a few hours.

VOIPO said the server was used for development purposes and had accidentally been left online. However, the company did admit that "valid data" had been contained in the database, although did not specify what data, in particular, was true information gained from production and services.

CNET: FCC's Ajit Pai won't meet Congress about phone-tracking scandal

"I would speculate that the leaked credentials were likely production credentials," the researcher said. "It also appeared that the SMS/MMS and VOIP phone logs appeared likely to be production data."

Update 8.32 GMT: Timothy Dick, CEO, and founder of VOIPO told ZDNet there were "significant inaccuracies" in the research, which was "based on assumptions."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards