Security Advisory: Telephone Voicemail Hacking Leading to Enormous Bills

We have all heard of voicemail hacking, but it appears it isn’t just the red top gossip rags after your secrets, but also criminal gangs targeting your company telephone system … and bills.

While outside our IT support remit, this morning we assisted a customer whose telephone system had been hacked over the weekend, and as a consequence have run up a bill of several thousand pounds in international phone call charges. Not knowing where to start, the customer called us and what we discovered was quite shocking as to just how easily this was effected by hacking of the voicemail system. So much so that I thought a security advisory was wise; suggesting that you raise this matter with your telephone supplier as a preventative measure.

A little background

Not so long ago, a telephone answering machine was as secure as the room it was in. It was, essentially, a tape recorder bolted onto a phone. If you called someone and they were out, the tiny cassette inside would record your message so that the intended recipient could play it back later. The only way to “hack” the message would be to steal the cassette itself. But mobile telephony has changed all that. Users now need access to their messages wherever they are and sometimes from more than one phone. This provided a way in for the phone hackers.

For most circumstances there are three common ways a hacker can take control of your phone system and run up huge long distance charges without you knowing:

• Remote voice mail access is BY FAR the easiest way for a hacker to gain enough access to a phone system to do bad things. Employees want to be able to access information (including voice mail) while out of the office, so your “phone guy” may have setup a way to access your voice mail while you’re not in the office – a convenient but hackable feature.
  Hacking a voice mail system is quite easy. Once a voice mail system has the capabilities to be accessed by dialling in from an outside line – this also makes it available to be hacked by anyone in the world who can call your phone number. Phone Engineers who do installations are unfortunately notorious for leaving system programming and user (voice mail) passwords set to their default password assigned by the manufacturer. Most voice mail systems only allow 4-digit passwords, which means there are 9,999 possible password combinations
• Remote Programming has become extremely profitable for phone engineers and leaves you less secure.
  Once someone has access to the remote programming, they have complete and full control of all phones, phone lines, call forwarding, voice mail, etc.
• IP-Phones / Remote Phones have saved businesses tons of money by eliminating long-distance communications costs between offices or remote workers. With newer phone systems, it will use the data network to establish communications with the remote office/worker. If improperly setup/secured, hackers will use the same techniques from items #1 and #2 – default passwords. Once a hacker has successfully registered a remote phone, they act like an extension on your phone system – pick up the phone and start dialling anywhere, any time.

What should you do?

Speak to your telephone system provider and pose the question; is our telephone system secure? While this is the first incident that we have seen, it is by all accounts becoming increasingly common. The steps we have found suggested are often straightforward and include:

• Restrict the use of phone systems to specific dial codes or block all international calls if not required
• Ask if your phone systems has a built-in firewall to help prevent your phone system from being hacked
• Prevent call transferring of international calls through your voicemail system.

Lindsey Hall

Managing Director – EasylifeIT

Portions (C) Sean Brown of Sleepy Shark. Click here for full article