A wakeup call from the darknet

This morning I woke up at 6 am to the sound of my own music on hold coming through the speaker of my SNOM SIP phone. For some reason it hat called my cellular phone which forwarded the call back to my PSTN number (on which i use the standard Asterisk music on hold). Being still 50% asleep i just hung up and went back to bed.

A few minutes later I heard somebody’s voicemail greeting playing through the speaker of the phone. I got up, hung up and powered up my laptop to take a look at the phone’s logs. While doing so it automagically dialed another number.

Having been introduced to the world of “unwanted automatic call origination”, I was suprised that the phone wasn’t calling premium numbers in the British Indian Ocean Territory. It was calling numbers that where either on my dialed numbers list or on my missed calls list, indicating that the calls were most likely placed through clicking links on the SNOM’s webinterface.

But who would be able to access my phone’s webinterface? It is on the local network of a wifi AP (not even on the actual local network where everything else is). There was no other machine on the wifi and i have a pretty long WPA2 password. Unlike my neighbours I am also not using WPS. And i had set up a username and password for the webinterface.

After my “asleepness level” went down to 25%, I remembered that i had crosscompiled TOR for the phone and had set up a TOR hidden service on the phone (for research purposes). When you access the webinterface through the hidden service then the SNOM’s LCS process (the one handling the phone’s GUI and webinterface) sees this as a connection coming from localhost and does not require authentication (probably because the SNOM’s XML minibrowser is using this to load XML menus from the phone).

But who would know the .onion address of my phone’s hidden service? I guess nobody does. But I suspect that somebody is scanning the .onion address space and is scraping all the content from each service. By following each and every link on my phone’s webinterface the scraper would also trigger the callback links in the missed calls and dialed numbers lists.

So, there must be somebody who is scanning the .onion address space. Unfortunately it’s not possible (at least for me) to find out who this is, as the requests are (of course) coming from the TOR network.

Lesson learned: Do not assume that your TOR hidden service cannot be found.