Copyright (C) 02/2003 by Howard Fuhs
Have you ever really though about the security of your telecommunications system? No? Perhaps you ought to give it a thought. Not that this is a completely new field or anything like that.
Information security people have been preaching for years that corporations must include telecomms security in the general IT security realm. Nevertheless, those responsible for IT security often think of telecomms security last - if at all. However, the telecomms systems is the communication tower of the corporation. All voice communications, all fax communications and not least a considerable proportion of the data communication runs through this tower. Whoever controls and can manipulate this tower has full power over all corporate communications.
Manipulation and misuse in the area of telecommunications resources mostly doesn't spring to the mind of the organisation until certain telltale signs such as Telephone bills falling outside a certain statistical 'normal' magnitude. This was certainly the case for a number of companies that recently became victims of an attack at their telecommunications systems.
In the case of a specific client, irregularities were not suspected by those responsible until steadily increasing costs charged for calls to value-added service numbers (0190 numbers in Germany) became evident. An initial internal audit revealed that no-one belonging to the organisation had made the calls to these 0190 numbers. Since the amounts had climbed to several thousand euros the company called in the police. It turned out that this was not the only case. According to the police they has received numerous report about a scam that went like this:
A hacker (in fact a phreaker, to use the correct terminology), had gained unauthorised access to the telecommunications systems in several companies and had manipulated these in such a manner that the systems automatically kept calling certain 0190 numbers. These numbers belonged to the phreaker in question and had allowed him to collect more than EUR 400,000 over a period of three years - not a mean salary for a small job of private exchange reprogramming.
Despite the fact that this was yet another crime connected to the notorious value-added numbers it is correct in this case to direct the gaze at the ingressions into and manipulation of the telecommunications equipment. It has been well known for many years now that private branch exchange systems no longer consist of clusters of hard- wired relays but of programmable computers. From my own professional experience over the past five years I can report that in over 90% of the cases I have seen in terms of larger telecommunications systems, these systems have been open to unauthorised access because even the most basic security measures were halfheartedly configured or not implemented at all. One reason for this is a kind of 'missing skill set' in the companies. These spend huge amounts of money on firewall technology so that they can securely participate in Internet activities, and on every street corner you now find companies that include the maintenance and management of firewalls in their service sales portfolios. But where are all these professionals when it comes to telecommunications security? Where do you find companies that specialise in telecomms security? Whatever few companies that exist in this field are far from able to extend their services to smaller and mid-sized organisations because they do not have enough skilled staff, and they are in general overstretched. Apart from this is it a relevant question whether the services of such companies would be demanded by SMEs at all. Many smaller companies are not precisely famous for their security awareness.
Let us briefly consider the different attack methods. First an attacker needs to find out which type of telecommunications equipment is installed in the enterprise. This can normally be accomplished by means of a phone call and a few minutes of social engineering. Once the brand and type of system has been ascertained it is not so difficult to download the corresponding manual from the Internet and research potential vulnerabilities such as service access passwords in suitable newsgroups.
Most standard attacks are carried out through the service access port of the telecomms system. By simply securing this port with a password and a fixed call-back number a lot can already be done to increase security and reduce the risk of a successful attack. Further avenues of attack are sometimes offered by special features of a PABX such as call redirection or conference calls. These functions open for certain methods of misuse of the types often used by phreakers in other contexts. All unneeded functionality should be switched off and configuration access password protected so that they can't simply be switched back on by an attacker.
A risk which is generally overlooked is factory defaults for passwords. These are obviously well documented and widely known. Lists of default passwords for most telecomms systems are generally available on the Internet. In most cases these default passwords, whether because of ignorance or complacency, remain unchanged after the system has been put into service. For this reason, a phreaker will normally search for access routes protected by default passwords.
It is also important to handle any physical access to telecommunications systems restrictively. Many companies allow their telecomms equipment to be installed in such a way that it is easy to break into, e.g. in a storage room next to the reception. This can offer an attacker direct access to the equipment with all the risks that brings about. It is important to install PABX'es in rooms that can be locked and secured. Furthermore, the room should not be used for other purposes that would make it necessary to allow a wider group of members of staff unmonitored access.
Telecommunications security in organisations should be treated as equally important with network security. Attackers with criminal intent are well informed and there are many of them even though they do not figure as prominently as other types of attackers on various computer platforms or the Internet.
Copyright (C) 02/2003 by Howard Fuhs. All rights reserved.
Published: Information Security Bulletin, February 2003, Volume 8, Page 27