Sorry kids, this is not a primer on how to hack phone systems for fun and profit. Rather, this is a guide for system owners to understand the threat of hacking and to take the appropriate steps to protect their system.
Phone System Hacking - A Brief History
Phone system hacking, or ‘phreaking’ has a long, time-honored tradition. From its relatively innocent beginnings as people tapping the switch hook to simulate rotary dial pulses, or using whistles to simulate touch tone frequencies, phone system hacking has grown up into a much more sinister enterprise. Today, phone hackers are responsible for around $5 Billion in toll fraud annually. Trust me, it is happening on a large scale all the time and it could happen to you anytime. The hackers do not necessarily target a specific system; they are often searching randomly for a system with known vulnerabilities. They are almost always looking for a way to use your system to dial international numbers. Once they expose the vulnerability, they can sell access to your system to hundreds or thousands of people worldwide. If they happen across your system and you are unprepared, you could be liable for tens, or even hundreds of thousands of dollars in international long distance charges.
Why Are They Trying to Hack my Phone System?
Typically, hackers will sell access for people dialing the following countries. These countries still have very high per-minute charges for long distance traffic, so the potential for fraud is very high.
|268||Antigua and Barbuda||664||Montserrat|
|284||British Virgin Island||721||Saint Maarten|
|345||Cayman Islands||869||ST. Kitts/Nevis|
|809||Dominican Republic||784||St. Vincent|
|829||Dominican Republic||868||Trinidad and Tobago-|
|849||Dominican Republic||649||Turks & Caicos Island|
|473||Grenada||340||U.S. Virgin Islands|
What I can tell you is we can identify some specific, known exploits and we know the steps to take to harden your system against them. But this is not a one-time exercise. The exploits are always evolving and so must our defenses. With this series, I hope to bring you up-to-date on current threats and show you how to avoid being a victim. You can probably never be invulnerable to all exploits, the goal is to make your system more difficult to hack than the next guy’s so the hackers move on to easier pickings.
Exploiting your Voice Mail System
The first exploit I will talk about is through your voice mail system. In the ‘good old days’, a voice mail system recorded messages and that was it. Pretty limited hacking potential there. But today, voice mail systems do much more. They often allow outdialing for message notification, or to track you down when out of the office or to return a call to someone who left you a message. Once a malicious caller gains access to a mailbox on such a system, it is game over. How do they gain access? Several ways: social engineering, unauthorized system access and computer hacking.
Let’s get Social
Social Engineering: This is perhaps the easiest method since it requires no technical skill. Social engineering relies on the vulnerabilities of us as humans. We do dumb things out of laziness or just for our own convenience that make it easy for someone else to access our systems. The most obvious is the password we use to prevent access to our mailbox. What is yours? Your extension number? Gosh! No one would ever guess that!! Your address? Your birth year? This year?!? Come on!! You’re making this way too easy!! How about 1234 or 9876? Last 4 digits of your phone number? Child’s play. Out of the 10,000 possible combinations for 4-digit passwords, a hacker might try the 10 or 20 most obvious, then move on.
Mark My Words
Don’t be an easy mark by using an obvious password. Modern voice mail systems allow the administrator to set up rules for passwords that prevent users from setting many of these ‘easy’ combinations. Modern systems also allow for longer passwords. A 10-digit password is much harder to hack than a 4-digit password. Look into it for your voice mail system. Don’t write your voice mail password down and stick it to your phone. Don’t share your password with anyone. These are all pretty obvious things, but for that reason they are the very ones a hacker will use to test you.
Change is Good
Another dumb thing we do is not changing voice mail passwords. Use your administrative interface to enforce periodic password changes. And disable voice mail boxes as soon as an employee leaves the company. Be on the lookout for unused or ‘system’ mailboxes that may have a default password. If your system allows it, lock out mailbox access after 3 failed password attempts. This makes brute force guessing much more difficult.
Are you Authorized?
Unauthorized System Access/Computer Hacking: Modern voice mail systems are typically just another server sitting on your network. This makes the system vulnerable in a couple of ways: to inside threats (a disgruntled employee?) and outside threats (hackers). If a malicious person can gain access to an administrative interface for your system, they can program resources to do whatever they need. Don’t give them the chance.
It is beyond the scope of this humble blog post to detail all the ways a network server can be hacked. Fortunately, we don’t need to. The solution is the same as for any other network server: Administrator passwords should be complex, changed often and guarded jealously. Maintain the same firewall protections for your voice mail server as you would for any other server on your network. Set up various levels of administrator rights and only give the needed level of access to administrators. If your company still has different people in charge of IT and phone systems, get your IT manager involved in protecting the voice mail system. It is one of the most important assets to protect on your network.
Get your phone system vendor involved. Find out how they access your phone system and voice mail system for remote programming. Does this open up any vulnerabilities? Ideally this should be through a VPN that you administer and control, with all of the password requirements stated above.
In Part II of this series, I will look further into various toll fraud techniques. We will talk about toll fraud through your phone system. Some of the issues will bring us back around to voice mail. There is lots more to discuss. Stay tuned!
Has your business ever been hacked? What was your experience solving the problem? What steps have you taken to minimize your risk? Share your thoughts in the comments.