The FBI is advising users of the open source VoIP package Asterisk to upgrade to the latest version, but has so far provided very little evidence on what vulnerability it has detected.

The FBI's warning as published at the Internet Crime Complaint Center (IC3) is vague at best. The warning states: "The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXii systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability."

These so-called "vishing" attacks are phishing attacks turned vocal. Normally, a visher would send out a wave of phishing e-mail with a telephone number enclosed. Those who call are greeted by workers in a "legitimate" call center, and are prodded to give out private information. Hackers can supposedly use this new vulnerability to take over to call Asterisk users directly.

The vagueness of the FBI's warning undermines most of the good it might do; the government recommends updating to the latest version of Asterisk, but there are two versions currently offered for download: 1.6.03-rc1 (beta) and 1.4.22. Without more information on which "early" version of the program the FBI is referring to, its impossible for users of a not-quite-new-but-recent version of the software to know if they're in the clear or not.

As of December 6, the FBI had not yet contacted Asterisk's developers or anyone at Digium. According to Asterisk's blog, "[Neither] Digium nor anyone else involved with OSS Asterisk to my knowledge has not been contacted by the FBI or the IC3 (a division of the FBI) on this topic, so much of what we know is speculation at this point. Digium believes at this point that this warning was as a result of security issues that probably have nothing to do with Asterisk in specific, but are more general, such as some sites using poor password choices on VoIP accounts. It is possible that this is a re-hash of an earlier security issue that was resolved in March, or perhaps of a totally separate set of security issues which are unknown to us."

Digium is a bit peeved that the FBI would issue such a warning without even attempting to consult the company in any way; as of that writing, all of Digium's attempts to reach the FBI have gone unanswered. The warning may reference a specific bug (AST-2008-03), but that issue was repaired last March.

We'll update on the situation once it's clear if there's actually a problem and what versions of Asterisk are (and aren't) affected.