Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. As telephone networks have become computerised or based on VoIP, phreaking has become closely linked with computer hacking. But is VoIP hacking about to hurt businesses?
Apr 11, Western Australia Police warned the state’s businesses to change passwords and cap international calls on enterprise VoIP networks, after investigating several cases of scammers hacking the networks to commit fraud. The WA Police said three businesses have reported their VoIP networks hacked by opportunists using the networks to make calls to international numbers offering premium voice services – often owned by the attacker.
In total, the three businesses were set to have suffered losses of some $70,000 from the attacks. Similar methods were used in early 2009 in an attack that caused one small business to run up a $120,000 bill.
In Feb 11, an incident closer to home saw fraudsters hacking into two Guernsey firms’ phone answering systems leaving them with bills for £28,000. The companies targeted in the phone ‘phreaking’ attacks were in the finance and legal sectors and had their systems hijacked over one weekend.
Guernsey Police’s Commercial Fraud Department, said fraudsters guessed the password to the answerphone accounts and were then able to make calls all over the world, including to North Korea and Somalia. Experts think ‘sophisticated “war diallers” and “password crackers” were the more likely method used to gain illegal access.
Most of us don’t know and are not aware of the dangers of VoIP and the more widely that VoIP is being implemented across businesses the larger the danger.
As demonstrated, security breaches on VoIP systems already include the stealing of telephone numbers and using them to make calls which appear on a business’ phone bill. Take the example of premium rate numbers such as 09 numbers that yield revenue for the carrier and the company that set up the number. The phone operator pays the firm as much as 90% of the generated revenue.
The scam normally involves a bogus operation, registered outside the EU, to hack into an unsuspecting business’ PBX at a time when no one is working and once in hackers programme the PBX to automatically make these premium rate calls. No one is aware of the scam until much later as evidenced in the examples before.
Industrial competition is another area where we could potentially see a competing company or a third-party/hacktivist block a competitor’s phone system and occupy phone lines. The phone system can be hacked to create a denial of service attack, preventing outbound calls from being made – suspending a competitor’s ability to make calls which might require days to fix.
With spam taking up 80 percent of internet traffic – spam on the phone line could be the next major headache for businesses. While emails can be deleted in seconds if spam ever came on a phone line it would be a different story. Every time a phone rings in a business it is answered and most firms are unable to distinguish a genuine call from spam. With no real urgency shown by telcos to tackle the problem it can take months to resolve the issue by which time the spammer has made their money.
VoIP will make it easier to tap into phone calls so we could well see more incidents of phone-hacking. The idea of not securing VoIP network is almost as dangerous as using an internet connection without a firewall. However, there are technical solutions out there that can help. Enterprise Session Border Controllers (E-SBC) can be deployed to protect the network from harm – we just need to start using them. It also helps if businesses set up the telephony system properly and incorporate the right controls to make changes.
VoIP hacking will hurt business but the best way to protect ourselves is to ensure the security is up to the job.