Phone System hacking, how it happens

worker-using-phoneLet me start off by saying that you’ve probably found this article by a search engine because you were trying to find out how and why you just received a huge long distance bill from your phone company.  Unfortunately, you have become a victim of hacking – most likely through your office’s phone system being compromised by a third party.

Why?

There are generally two reasons why this happens.  The first is simply free calling, allowing a hacker to make or relay telephone calls to a destination at your expense.  The second is to flood a destination’s phone company with billable traffic which the terminating long distance carrier gets paid for – and consequently, you get billed for.

How did it happen?

For most circumstances there are three common ways a hacker can take control of your phone system and run up huge long distance charges without you knowing:

1.  Remote voice mail access is BY FAR the easiest way for a hacker to gain enough access to a phone system to do bad things.  Let’s face it – office phone systems and voice mail systems are not cheap and businesses typically make an investment in this technology once and overlook upgrading as technology (and hackers) become more advanced.  Employees want to be able to access information (including voice mail) while out of the office, so your “phone guy” may have setup a way to access your voice mail while you’re not in the office – a convenient but hackable feature.

Hacking a voice mail system is quite easy and you don’t need a degree in computer science to do it either!  Once a voice mail system has the capabilities to be accessed by dialing in from an outside line – this also makes it available to be hacked by anyone in the world who can call your phone number.  “Phone Guys” who do installations and moves/adds/changes to PBXs/Key systems are notorious for leaving system programming and user (voice mail) passwords set to their default password assigned by the manufacturer.  Most voice mail systems only allow 4-digit passwords, which means there are 9,999 possible password combinations.

Once inside a voice mail system, there are ways to dial-out from inside the voice mail system (meaning the new call is made from one of your phone lines, and thus billed to you).

2. Remote Programming has become extremely profitable for “phone guys” and leaves your extremely insecure. Instead of waiting for the “phone guy” to drive to your office and hit a few buttons and leave you with a fat bill, they have the ability to dial-in to your phone system and make the changes remotely (usually at a discounted price) – something that sounds appealing, but at what risk?  Referring back to item #1, phone vendors (more times than not) keep the default passwords in-place to make it easy for them to remember.

Once someone has access to the DISA (Nerd translation: Direct Inward System Access) or remote programming, they have complete and full control of all phones, phone lines, call forwarding, voice mail, etc.  They can do anything they want to your phone system.

3. IP-Phones / Remote Phones have saved businesses tons of money by eliminating long-distance communications costs between offices or remote workers.  IP phones commonly use a protocol called SIP, which has become the industry standard for voice over IP (VoIP).  Because “phone guys” have never really placed nice with “network guys” there has always been an invisible wall between the two technologies.  With newer phone systems (which have remote office/teleworker capabilities) the phone system will use the data network to establish communications with the remote office/worker.  If improperly setup/secured, hackers will use the same techniques from items #1 and #2 – default passwords.  Too often, a username is the same as the password or an improperly setup data network exposes the entire phone system to the internet which gives hackers an easily discoverable target to run automated hacking utilities to gain access.

Once a hacker has successfully registered a remote phone, they act like an extension on your phone system – pickup the phone and start dialing any where, any time.

How do I fix it?

There are two (and only two) things you need to do:

1. IMMEDIATELY Call your phone company up and have them block the following:

  • Block ALL domestic long distance
  • Block ALL near domestic long distance
  • Block ALL international calling
  • Remove any call forwarding features (both remote and *72 based)
  • Remove any transfer features (no answer, busy, blind, etc)
  • Remove any 3-way calling features

2. Engage your phone system vendor and have them identify the intrusion point and do the following

  • Disable remote/DISA programming access
  • Change DISA password
  • Disable remote voice mail (if possible)
  • Delete unused voice mail boxes
  • Change ALL voice mail passwords
  • Ensure SIP (UDP/5060 and TCP/5060) is NOT accessible from outside the LAN (use site-to-site GRE tunnels if possible)
  • Ensure all SIP registrations use strong passwords

Sadly, Long Distance fraud attempts happen thousands of times a day, thankfully most attempts are unsuccessful.  Keep in mind that when a hacker gains access to a phone system, there may be a significant time difference between when they first gained access to your PBX and when you actually received your phone bill.

Most larger telecommunications companies have entire departments dedicated to fraud detection and prevention – don’t be surprised if you receive a phone call from your phone company saying you may have been hacked.