Phreakers, Hackers and Phone System Security
During the rising onslaught of SIPVicious attacks hacking digital hybrid and voice over ip systems, it’s easy for analog PBX owners to think that their straight analog PBX system protects them from phreakers and hackers but they need to think again. With analog PBX systems, like digital hybrid, SIP and VOIP phone systems, the question continues to be: not if the system will be hacked but when. The most prudent path regardless of the type of phone system is to identify and test the measures in place to delay access and immediately report upon discovery of suspicious activity.
The areas that provide the most opportunities to hackers exploiting a phone system are:
· Unsecure or insufficiently secure access to the phone system, Voicemail, Administration and Programming
· Routing calls from the public switch through the phone system to the voicemail and back to the phone system
· ACD-Automatic Call Distribution
· Trunk access
· CFOS –Call Forward Off-Site
Phreakers and long distance hackers have the default passcodes for every phone system on the market. They identify the phone system by calling published and toll-free numbers. They systematically go through auto-attendant menus until they reach a default message that allows them to identify which system is associated with the default message and phone number. Some of the hackers have sophisticated auto-dialers that help them identify the vulnerable systems while some use social engineering or brute force access attempts. Even if default passcodes have been changed, once the hacker identifies the phone system they will attempt, often successfully, to access the network through a remote access maintenance port. That enables them to deploy a script against the phone system that will break a four-digit passcode within seconds. A single two-day unreported hack, this most often happens across a weekend, can lead to $10,000 and even upwards to $100,000 in liability to local and long distance carriers.
US providers are obligated to pay the charges incurred to the international providers and the FCC has determined it is the responsibility of the phone system owner to not only control access to their phone system but also meet liability incurred via the phone system. So, it is the phone system owner that must pay the US provider what has been charged by the international provider.
So, what’s a business owner to do? Mitigate the risk by protecting the environment, securing the system and voice mail, identifying the threat and alerting on potential hacks. There are a sufficient number of unsecured systems to exploit that a hacker is more likely to move on to the next number if the system cannot be cracked initially. This doesn’t mean the hacker won’t come back and try again.
Mitigation Elements:
Protect the phone system
Protect the voicemail
Protect the telecom-data environment
Identify and Report attempts
Alert and notify hacks
Shared publiclyView activity