Story image

Oops, I forgot to secure my phone system

01 Nov 08

On 20 August 2008, Associated Press reported that a hacker broke into the US Homeland Security Department telephone system and racked up about US$12,000 in calls to the Middle East and Asia. This kind of event is bound to make headline news, but will an average phone system get mentioned? Probably not.

Your PBX system will get hacked. People often ask me why someone would bother hacking into their phone system.The answer is simple – to steal long-distance phone calls. In fact, of all the computer systems that a business has on its network, the PBX is one of the few that is directly linked to its purse strings through the telephone account. Leaving a phone system unsecured is like leaving a full wallet in plain sight in your car; most of the time it will still be there when you came back, but not always. You would not risk leaving your wallet in your car, and you shouldn’t be gambling with your computer network either.

All PBX systems are vulnerable

There is a common misconception that only the latest IP PBX systems are vulnerable; however, that is not true. There are reports of traditional PBX systems being hacked as often, if not more often, than the new IP PBX systems. The truth is, if a phone system is connected to the computer network in any way shape or form, it is vulnerable to attack. Arguably, traditional phone systems connected to the computer network are more vulnerable to attacks. The reason for this is simple: if a hacker finds a way to exploit the connection to network, then the equipment needs to be patched; however,  older, proprietary system patches may simply not be available.

The only PBX system that is not vulnerable to an attack is one that is not connected to a computer network, including dial-up modems for remote support!

Telephone guys don’t understand, IT guys don’t care

When I talk about security to most telephone systems experts their eyes glaze over. Many PBX support organisations traditionally don’t deal with data security issues, and don’t educate their staff on the subject, so they leave the security up to the IT department. On the other hand, most IT companies don’t view the PBX as their responsibility. Traditionally it has been a specialist field, so the expertise within the IT industry to support PBX systems is very rare.This leaves the average business with a security hole.

So, what do we do now...?

Many businesses still have a fairly relaxed view of security, and do not understand why anyone would be interested in their network. There are, however, thieves out there just waiting to jump at the chance to steal telephone calls, so if a telephone system is at all connected to a computer network, the business should be concerned.

Here is what is done in the server security world: It takes between seven days and three months to build software to exploit vulnerability in a system. In order to keep a system secure, the vendor must employ independent security experts to look for these vulnerabilities and provide software patches as soon as any are found so they can be applied to the system within a reasonable time. It should be no different in the phone system security world.

If you or your customers are in the market for a new PBX, ask the PBX vendor to demonstrate that they will pro-actively apply security patches to the phone system, or at least supply you with the patches and the method of applying them. If the vendor tells you that their phone system is secure and there is no need to apply any patches, you will know that it either doesn’t know or doesn’t care about security, so be careful – your business account could be at risk.  

Hands-on Review: Nvidia GeForce RTX 2080 Ti FE
The lack of games taking advantage of the GeForce RTX 2080 Ti makes reviewing the card rather challenging
IDC: NZ IT services market will near $4B in 2023
As cloud adoption grows with every company seeking the competitive advantage it can provide, the opportunities in IT services are expanding in kind.
HPE invests in services with new A/NZ execs 
With IT services spend growing in Australia and New Zealand, HPE is appointing execs for software and technology services in the South Pacific.
NZ’s $3.45bil IT services market fueled by competitive advantage
"With regards to cloud adoption, organisations are prioritising innovation and security over cost and scalability.”
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Kiwis make waves in IoT World Cup
A New Zealand company, KotahiNet, has been named as a finalist in the IoT World Cup for its River Pollution Monitoring solution.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.