We're trying to stop fraudulent VoIP (toll fraud) before it happens.

What is SentryPeer?

SentryPeer is designed to help detect compromised VoIP accounts. These credentials could have been gathered from desk phones, softphones, PBXs and WebRTC services for example. It works by your system always sending us an API call for each phone call (or IP address) you want to check. We then send you back a response with the results of our analysis. You can use this information to block the phone call, or take other action.

How do I use SentryPeer?

Let's say you are running your own VoIP PBX on site, or you're a VoIP service provider. What SentryPeer will allow you to do in this context, is dip into our list of phone numbers (using the RESTful API) as your users are trying to make outbound calls.

If you get a hit, you'll get a heads-up that potentially a device within your network is trying to call low cost probing phone numbers to check that the account can make outside calls. Criminals do this before revealing and calling the expensive numbers they want to call, which they usually own. These expensive numbers are often premium rate numbers, or international numbers.

The test numbers that we check against have either been:

  1. Numbers collected by SentryPeer nodes you are running yourself
  2. Numbers seen by the SentryPeer nodes we run, depending on your subscription level

We would then notify you or block the call using our various integrations, so you don't rack up any expensive calls or something worse happens.

What scenarios lead to VoIP fraud?

There are many and new ones are being discovered all the time. Here are some common ones:

  1. Potential voicemail vulnerabilities. This can happen if you allow calling an inbound number (your DID/DDI) to get to your voicemail system, then prompt for a PIN. This PIN is weak and the voicemail system allows you to press '*' to call back the Caller ID that left a voicemail. The attacker has left a voicemail, and they then guess your PIN and call it back. The CLI might be a known number that SentryPeer has seen, which we can send you an alert for.
  2. A device has been hijacked and/or a softphone or similar is using the credentials they stole off the phone's GUI and is now registered to your system and trying to make calls to a number seen by SentryPeer.
  3. An innocent user is calling a phishing number or known expensive number etc. that SentryPeer has seen before.
  4. Holes in a VoIP service providers rate plan where certain destinations are on old prices, not priced correctly or numbers have been re-categorised as premium rate. This happens a lot with mobile numbers.
  5. Misconfigured dialplans.
  6. Exploitations in firmware or PBX software.

The data we compare your queries against is gathered from various VoIP (SIP) honeypots that we run, all round the world, unless you are on the Contributor Plan.

Gavin Henry, SentryPeer Founder.

“After 12 years of building and scaling SureVoIP, an awarding winning Internet Telephone Service Provider, it was acquired from me in July 2021. I then created SentryPeer in an attempt to address the need of having an early warning system for VoIP fraud. I hope you find it useful and help us tackle this.”

Gavin Henry on Twitter
Gavin Henry

We do our software engineering in the open and love bug reports and feature requests. Feel free to open an issue on any of our repositories.

SentryPeer Project Launched

The idea came about because I wanted to create the smallest possible SIP honeypot that could be run standalone and have its own local database and web APIs. I also wanted it to share that data with other SentryPeer peers.

Beta Released

Written in C and having no low level network stack experience, it took a while. I was very surprised how quickly the first SIP probe came in, which I speak about in many of my talks.

Adopted by many users

Sometimes, well a lot of the time, you have to make things happen yourself. That includes packaging it up, contacting all the different people that you might think would benefit from using it and doing presentations about it to stir up interest.

Launch of SentryPeerHQ

The past year or so from March 2022 was spent maturing SentryPeer and thinking about how to make things easier for users. I decided that the option of a centralised service would help those that didn't want to run things themselves. I also wanted to keep that service free for users that wanted to contribute and consume their own data. Started in November 2022 during my free evenings and weekends, 8 months later, SentryPeerHQ was made public. It's powered by the Phoenix Framework (with LiveView) and Elixir for the best reliability and scalability, and is also open source.

Trusted by many users

We're just getting started, so this section will be expanded over time once we get permission to mention our users.

Tuple Reform SavvyCal Laravel Transistor Statamic