During 2009, many companies have been victims of telephone hacking that exploits known features in the Meridian voicemail system. Through this article I hope to point out a few things that can be done to stop this hacking. Some of the items mentioned are secific to Nortel systems, but included some information about IP phones as well. In addition, most of the features mention also exist and are exploitable on other brands of telephone systems.
First the specifics that will stop the most common avenues of exploit so far:
- Make sure every mailbox has a password of at least seven or eight digits. The hackers are using automatic systems that use a "brute force" method to guess voicemail passwords.
- Delete unused mailboxes.
- When you create a mailbox, don't leave it at the default password.
- Disable the call-out/forwarding feature in all voicemail boxes.
- Set your voicemail system to lock out a mailbox after a set number of wrong password attempts.
- Set filters on your phone system to prevent calls to 1-900, 1-976 and 10-10 numbers. On phones in unsecured areas, block all long distance calls (i.e. block everything starting with a "1").
Office telephone systems (PBXs) which support VoIP pose a special risk for unauthorized calling. The threat can take a number of forms:
- if unauthorized persons can reach your IP PBX from the external Internet then there is the potential to place unauthorized calls;
- if your IP PBX accesses IP trunks to place calls, unauthorized persons could potentially spoof your IP PBX's identity to your service provider and place calls through your service provider using your account.
There are a number of ways to protect against the first threat (unauthorized IP PBX access):
- do not permit external access to your IP PBX unless absolutely required to support remote office telephones;
- use an appropriately configured firewall to limit (preferably by originating IP address) or prevent access to your IP PBX;
- pick strong passwords for authentication by the remote office telephones;
- carefully control who has access to the account/password information for remote office telephones and instruct staff as to the importance of maintaining this information in confidence;
- monitor your IP PBX's call logs daily looking for unauthorized or unexpected activity (better IP PBX systems will have a mechanism to automatically and continuously monitor for unusual calling activity).
There are a number of ways to protect against the second threat (unauthorized IP trunking service access):
- carefully control who has access to the account/password information for your IP trunking service and instruct staff as to the importance of maintaining this information in confidence;
- if you have the ability to set your own password on your IP trunks, select a secure password and change it periodically;
- monitor your IP trunking service's call logs daily looking for unauthorized or unexpected activity (better IP trunking service providers will have a mechanism to automatically and continuously monitor for unusual calling activity and alert you immediately if it appears your account has been compromised).
In the final analysis, every security measure can be compromised and every lock can be broken. The goal is to make that as difficult and improbable as possible; and to have mechanisms in place to detect such a breach as soon as possible so that immediate steps can be taken to mitigate the damage.
To that end, if all security measures fail, the best way to minimize the damage is to put a cap on the system. We all have limits on our credit cards. So why not on long distance? I have found only one provider so far who would give us this option. However the more pressure applied, the greater the chance of the telcos allowing this option. Searching for a new provider? Make it a condition on your contract. As long as the limit is set high enough, it should never affect normal business.