Corporate PABXs remain a hacker's playground

Many of New Zealand's corporate switchboards still remain open to hackers, who can easily divert calls and listen to messages in people's mailboxes.

Despite extensive coverage of the issue in the mainstream press and a number of alerts being sent to out to corporate customers over the past two years, Computerworld has learnt that many corporate switchboards still remain vulnerable to hackers.

The vulnerabilities are the same as those reported by the New Zealand Herald last year -- easily guessable passwords and unused mailboxes left on systems. Using a simple sequence of dial pad key-strokes, a hacker can easily access the setup menu for a spare mailbox and, for example, divert calls to, say, an overseas number. As many people use simple pass phrases such as "1111" or "1234", it's not hard for a hacker to remotely gain access to a voice mailbox.

The U.S. Federal Communications Commission alerted companies to the danger of voice mail fraud as far back as 2003. It warned that companies which did not secure their corporate switchboards could be in for a very expensive surprise should their telephone systems be abused by hackers.

New Zealand companies are also vulnerable. "The situation is a mess", said an administrator at a central Auckland IT services company who did not wish to be named.

The problem is users often refuse to change their password to a more complex one for fear they won't be able to remember it. They then "scream at MIS" when they can't remotely access their voicemail.

Disabling unused mailboxes is also a problem, says the administrator. Companies have to pay for each active mailbox on their system, and buy spare mailboxes so they can activate new extensions quickly if need be. When administrators disable unused mailboxes they become activated and have to be paid for, says the administrator.

GDC is a local switchboard reseller whose wares include switchboards that have been found to be vulnerable to hackers. Both GDC's managing director, Geoff Lawrie, and general manager of sales and marketing, Paul Ryan, underscore the fact that vulnerability springs from poor administrative practices. Remote access to (and configuration of) mailboxes is a feature rather than a flaw, says Ryan, but he advises customers to be careful in using this feature and to use strong passwords so as not to expose themselves to abuse.

GDC's products are not the only ones vulnerable to this kind of abuse, says Lawrie. Other vendors' PABX systems enjoy similar features that can also be abused by hackers.

GDC and its software provider, Performance Solutions, have been warning customers -- in writing -- about the problem since it first came to light. They have suggested that customers change all the passwords on their systems. Auditing software, which ferrets out which mailboxes have weak passwords, has also been supplied to customers, says Ryan.

Setting a default password on a mailbox isn't a problem from a licensing point of view, says Ryan. Customers tend to buy licenses on a per-site or a per-mailbox basis, but GDC has no way of knowing how many are activated.

GDC has developed "war dialling" software which it plans to release soon, said GDC's MD Geoff Lawrie. This will allow customers to do external security audits of their PABX system to complement the internal audits presently used to check for security breaches.

Over Easter, the switchboard of the private St James Hospital in Canberra was hacked by perpetrators believed to be based offshore, according to Australian newspaper reports. Up to A$5,000 (US$3,893) worth of phone calls were made to South America and Asia. Experts estimate that had not Telstra noticed the irregular call patterns and warned the hospital, the bill could have been between A$50,000 and A$100,000.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Federal Communications CommissionTelstra Corporation

Show Comments