PBX hacking occurs when someone is able to make unauthorized calls on a business phone system. This is done either by exploiting a user menu to setup a forward or by becoming authorized as a remote SIP phone. I’ll explain each of these hacks and show how to avoid them.
The oldest hack, the forwarding hack, involves finding a phone system that will provide a menu that allows the caller to identify themselves as a user on the system and then allows the user to forward their calls. The FacetPhone user menu can do this. It is common to be able to press * when in an auto-attendant and be directed to a user menu where you can check your voice mail and perform other functions. So the hackers call businesses and look for auto-attendants that will accept * (they probably try other keys for this as well). When they find one, the next step is to get logged in as a user. The auto-attendant at that point will almost always ask the caller to enter their extension and then their PIN. Apparently if you guess extension 100 and assume there is no PIN or that the PIN is 1234, you can get into quite a few systems! At that point, they can listen to the menu and see if it has an option for forwarding the user’s calls. If it does, they forward calls to the destination that they want to connect hours of calls through to. The destination is always international to countries such as Lithuania. The final step is to call the business again and enter the extension of the user who’s calls have been forwarded. That call is then forwarded to the destination they setup. The call is left connected for hours, quite often at night. I assume the hackers have equipment at both ends of this connection that allows them to route calls through it for free (to them).
FacetPhone helps prevent the forwarding hack in several ways. To begin with, the user menu will not even allow you to login over an outside phone line if you do not have a PIN. Secondly, you can limit the forwarding function of the menu to only those users who have a need to use it – and then make sure they have a good PIN. Finally, if a hacker does get a call setup, anyone using the FacetPhone user interface will notice the call and can end it before it goes too long. Also, reviewing the phone system’s call reports will allow you to spot these calls if they are happening when the business is closed and nobody is watching a user interface.
The newer hack attacks VoIP phone systems that have been configured to allow SIP phones to connect over the Internet. In this case, the connection is not configured to go through a VPN and port forwards have been setup on the firewall where the phone system resides. This is very convenient for users who have a soft phone on a laptop or other mobile device. Their soft phone can act as their extension on the phone system anywhere that they have Internet access. What the hackers look for is a phone system that will respond to SIP requests from the Internet on the standard SIP port of 5060. When they find one, they try sending a SIP message to start a call masquerading as a valid extension on the system. Once again, if you choose extension 100, that is likely to be valid. The number they call is the international number where they will connect calls for hours.
To prevent this SIP masquerading hack, we setup phones outside the LAN to use an alternate port for SIP messages, greatly reducing the chances that the hackers will find the phone system. We also configure passwords on the phones to ensure that a request from extension 100 will only work if it authenticates with the non-trivial password.
PBX hacks can be very costly. A single call left up overnight can cost thousands of dollars. Usually the phone company will notice it eventually if you don’t. However, they will not always refund all or part of the cost of the hacker calls. By taking the steps outlined above your phone system can be hacker proof!