PBX Security

A Private Branch Exchange (PBX) system is a private telephone network used within an enterprise that switches calls between enterprise users on local lines while also allowing users to share a smaller number of external phone lines. The PBX is owned and operated by the enterprise rather than a telephone company. Such systems offer business a wide variety of features including:
• Allowing employees working away from the office to make calls via their company’s PBX (termed Direct Inward System Access)
• Voicemail
• Remote management of the telephone network
• Allowing calls to be routed by voice or buttons on the phone (termed Interactive Voice Response), e.g. Press 1 for sales, Press 2 for payments, etc
• Forwarding calls made to a particular extension to another number (termed Call Forwarding).

How does it work?

Typically, a hacker will dial in to the PBX and, unless it has been adequately secured, make long distance phone calls at the expense of the PBX owner. There are cases where the hacker subsequently sells the use of the hacked phone system to other third parties at a profit.
There are many approaches a hacker can take to gain access to a PBX system if it is not adequately secured.
Social engineering – Hackers might connect to a number within a company and make an excuse to get transferred back to the operator. On doing so, the operator sees the call as an internal call and may be persuaded to help the hacker dial an external or international number.
Voicemail – Hackers may be able to obtain unrestricted access to the phone system via the voicemail system. This enables them to make unauthorised high-cost calls, re-record welcome messages and lock out legitimate users.
Access through system maintenance ports – Maintenance ports on a PBX or voicemail platform enable engineers to configure the equipment. If a PBX hacker is able to gain access to this port they may be able to reconfigure the system and allow unauthorised long distance calls.

Call diverts, Call conferencing, Eavesdropping – If a PBX hacker can gain access to the maintenance or administrative port on a PBX system it is also possible for them to:

• Eavesdrop on all conversations taking place across the network.
• Divert calls to another location (e.g. home, mobile or overseas) when the owner of the extension is absent.
• Setup conference calls remotely.
Access through Direct Inward Service Access – This is a feature which allows employees working away from the office to make calls via their company’s telephone system. PBX hackers can use this feature to make unauthorised high-cost calls to a termination number of their choosing if this is not securely configured.
What risk does it pose?

The main risk to organisations is financial; the owner of the phone system will receive a bill for all calls that are made using their phones lines. This can add up to tens of thousands of Euros if unauthorised use goes undetected for even a few days.

If your PBX has been supplied by a reputable vendor it should be setup in a secure configuration. PBX owners should however gain assurance from their supplier that the system provided is configured securely before putting the system into use.

Top Tips

• Contact your PBX supplier (if different from your telecommunications provider) and ensure that your PBX is securely configured and has the latest software updates installed to prevent unauthorised access.
• Ensure that your PBX maintenance port has a strong password and does not use the default password.
• Ensure that your voicemail has a strong password and does not use the default password.
• Restrict your voicemail service from allowing call forwarding functionality if this feature is not used by your company.
• If you suspect that your number has been misused, contact both the local station of An Garda Síochána and ComReg.
• Regularly monitor the PBX system log files to identify calls to premium numbers or unusual activity on the system.
• Log files should be securely stored so they can be used to investigate any potential fraud on a PBX system.

Nowadays such communication is changing to VoIP and incidences of traditional PBX fraud are on the decline. However as with most internet threats it still remains a valid concern for business owners/users

What to do?

Organisations should have the security of their PBX tested by professional security testers and update their systems accordingly.

If you have been hacked
Change the appropriate access codes and inform your telecom provider and the necessary authorities without delay

Ensure that all manufacturers default PIN codes are changed

Ensure that adequate authorisation is implemented for all “outbound” calls.

Limit access to the maintenance lines on the PBX to authorised users only.

Sit down and have a conversation with your PBX provider about the Security of your PBX and understand how it has been configured.

Whenever an employee leaves, their PIN should be changed

Restrict code access by time of day, area code, or number of allowed long-distance calls per day. If you get hit, losses will be limited. Close PBX access after 6 p.m. if possible. Often, there is no reason to keep it open at night.