Phantom or Ghost Calls

Phone keeps ringing and am unable to answer

Phantom or Ghost calls are a common occurrence that many phone users have experienced, typically when IP Phones were self or manually provisioned, rather then linked to a configuration server provided by the service provider, like TELAIR. The calls can occur at anytime, but mostly happen in the middle of the night. The source of the call is usually unknown without additional network tools, and are the result of port scanning that is conducted by automated device discovery software, or maliciously by bad actors.

Devices provided or provisioned by TELAIR are all linked to our secure configuration servers which include specialized firmware and settings to block these events from occurring on phones connected to our network. If you device is experiencing phantom calls, please contact support to ensure your device is properly synced with our network.

What are Ghost Calls?

Ghost calls, also known as phantom calls, result when the calling entity does not leave a message or answer when the receiving party picks up the phone. Answering a ghost call results only in dead silence on the calling end. These calls can happen frequently and are often annoying and time-consuming.

Examination of the caller ID log often reveals an unusual pattern of incoming numbers that include area codes or prefixes such as 100, 1000, 1001. Because such numbers do not exist in reality, their presence in a call log is almost always an indication that the call originated from a phantom source.

Network configuration

While most modern routers / firewalls will properly mask external ports that traverse the internet, there are still many devices that do not provide these functionality. When a SIP port is exposed over the internet, port scanners specifically tuned to these ports will find, and continue to perform other activities which could result in additional phantom calls.

Ensuring your network and firewall is properly configured is essential!

Potential threats

Exposed SIP ports are an invitation to bad actors or hackers who are looking to access your service to make and receive calls for the purpose of calling long distance (at your expense), or to perform other activities with your phone identity. If you are receiving phantom calls, please contact support immediately to ensure phones are properly synced with our configuration servers.

Any IP Phone sold, rented or otherwise provided by TELAIR comes synchronized and protected. TELAIR provides Polycom Series IP Phones only, but supports a wide range of SIP devices from other manufactures. In some cases prior to December 31, 2019, at customers request, TELAIR would provide manual registration links for devices. Any device activated after January 1, 2020 all must be provisioned through TELAIR's network.

Additional user settings to manually prevent phantom calls

Port scans are usually automated and tend to be repetitive. Consumers can gain an advantage by using the router settings page to configure firewalls to block port scans. Some higher end routers, such as those that are used in business settings, support SIP traffic blocking. Although home routers may not have this capability, implementing this solution would allow the home user to white-list all IP addresses and ports that belong to their phone provider while disallowing communication from all other sources.

SIP traffic is used to make VoIP calls and port 5060 is the most commonly-used port for such calls. Changing the SIP port on a phone or phone adapter to something other than 5060 may be a solution but end users should always verify that the chosen port is one that their service provider can support for SIP messaging. A scanner will eventually be able to find the new port, which makes this solution viable as a temporary method pending implementation of a more robust long-term plan.

Users can also modify settings on their phone or ATA device to eliminate some of the vulnerabilities that may result in successful port scans. The type of customization required by this solution will likely vary for each manufacturer and model number but the following summary may clarify best practices pertaining to call configuration options.

There are four major settings that should be configured to prevent ghost calls, including SIP messages, SIP proxy, direct SIP calls and SIP trust server. Each of these settings will now be addressed in turn.

Settings for Incoming SIP Messages

  • Enable validation of all incoming SIP messages.
  • Enable checking of User ID for incoming invite. When this setting is enabled, direct IP calling will be disabled.

Settings for SIP Proxy

  • Incoming SIP Messages should be allowed only for the SIP Proxy.
  • The SIP contact register should be configured to use LAN (local area) instead of WAN (wide area) addresses.
  • Use of privacy header and P-Preferred-Identity header should be kept at the default setting.

Settings for Direct SIP Calls

All direct IP calls should be blocked. 

Settings for SIP Trust Server

Configure the phone to accept SIP traffic only from a trusted server.