Story image

Oops, I forgot to secure my phone system

01 Nov 08

On 20 August 2008, Associated Press reported that a hacker broke into the US Homeland Security Department telephone system and racked up about US$12,000 in calls to the Middle East and Asia. This kind of event is bound to make headline news, but will an average phone system get mentioned? Probably not.

Your PBX system will get hacked. People often ask me why someone would bother hacking into their phone system.The answer is simple – to steal long-distance phone calls. In fact, of all the computer systems that a business has on its network, the PBX is one of the few that is directly linked to its purse strings through the telephone account. Leaving a phone system unsecured is like leaving a full wallet in plain sight in your car; most of the time it will still be there when you came back, but not always. You would not risk leaving your wallet in your car, and you shouldn’t be gambling with your computer network either.

All PBX systems are vulnerable

There is a common misconception that only the latest IP PBX systems are vulnerable; however, that is not true. There are reports of traditional PBX systems being hacked as often, if not more often, than the new IP PBX systems. The truth is, if a phone system is connected to the computer network in any way shape or form, it is vulnerable to attack. Arguably, traditional phone systems connected to the computer network are more vulnerable to attacks. The reason for this is simple: if a hacker finds a way to exploit the connection to network, then the equipment needs to be patched; however,  older, proprietary system patches may simply not be available.

The only PBX system that is not vulnerable to an attack is one that is not connected to a computer network, including dial-up modems for remote support!

Telephone guys don’t understand, IT guys don’t care

When I talk about security to most telephone systems experts their eyes glaze over. Many PBX support organisations traditionally don’t deal with data security issues, and don’t educate their staff on the subject, so they leave the security up to the IT department. On the other hand, most IT companies don’t view the PBX as their responsibility. Traditionally it has been a specialist field, so the expertise within the IT industry to support PBX systems is very rare.This leaves the average business with a security hole.

So, what do we do now...?

Many businesses still have a fairly relaxed view of security, and do not understand why anyone would be interested in their network. There are, however, thieves out there just waiting to jump at the chance to steal telephone calls, so if a telephone system is at all connected to a computer network, the business should be concerned.

Here is what is done in the server security world: It takes between seven days and three months to build software to exploit vulnerability in a system. In order to keep a system secure, the vendor must employ independent security experts to look for these vulnerabilities and provide software patches as soon as any are found so they can be applied to the system within a reasonable time. It should be no different in the phone system security world.

If you or your customers are in the market for a new PBX, ask the PBX vendor to demonstrate that they will pro-actively apply security patches to the phone system, or at least supply you with the patches and the method of applying them. If the vendor tells you that their phone system is secure and there is no need to apply any patches, you will know that it either doesn’t know or doesn’t care about security, so be careful – your business account could be at risk.