Telephony Hacking and Fraud is once again on the rise. Phone Phreaking was common between the 60’s and 90’s; it allowed Phreakers to place free calls and access Remote Dial-In computers; from there they would add voicemail boxes, snoop on phone lines, add call forwarding etc. Phreaking once again is emerging with modern technology (VOIP, SIP, IAX etc). Just like open web-services, that allow public internet users to read webpages. Unsecured Telephony Exchanges or PBXs have open opportunities for Telephony Hackers.
How Do Hacks Occur?
Recent attacks discovered by our Incident Response Team have uncovered two common methodologies:
- Voicemail Dial-Through
- PBX Dial-Through
- An attacker will extract a range of numbers for an organisation through Directory Enquiries, or other public records; They will then war-dial the discovered range looking for Remote Access Dial-In (RAD) or Voicemail Gateways.
- The attacker will attempt to enumerate extensions or usernames; and at the same time try default of weak password enumeration.
- Any extensions, that do not have a default/ easily guessable password, will usually undergo a brute-force attack in an attempt to compromise the account.
- Once an attacker has found one or more valid accounts, they will log into the Voicemail system. Any Dial-Through functionality currently enabled – will give the attacker an outside line – or dial tone.
- The attacker is then free to make calls through the PBX, incurring no personal charges as the corporations PBX will be picking up the bill.
- PBXs are essentially computers, that may have external ports for Remote Access Dial-In (RAD) by the corporations Telephony Team, or by the Manufacturer.
- Using Manufacturers default credentials or by performing a brute-force attack against the RAD, attackers may gain access to your corporations PBX.
- With access to the PBX; Dial Plans can be manipulated, Voice Mail boxes can be created, Call forwarding can be enabled to redirect calls, and ultimately the attack can place any call they like, and once again the corporation will be picking up the bill.
Securing Telephony Systems
There is no guarantee against telephony fraud. However there are some simple steps that can be taken to reduce the risk:
- All organisations should have a written policy for password management.
- Passwords should be changed on regular basis, i.e. at least monthly.
- Passwords should be a complex combination: a mix of letters, numbers capitals and symbols.
- There should be a policy in place to change passwords as staff change roles or leave the company, especially those with access to PBX systems.
- Ensure you have confirmed with your PBX maintainer who is contractually responsible for PBX security/access. If the PBX is accessed via the internet check firewalls are up to date.
- The PBX should be set to bar outgoing calls to premium rate international numbers.
- Extensions should be limited to required call types (e.g. does the telephone in the post room need access to mobile phones?).
- Set up CPS call barring (e.g. do you need premium rate international numbers?).