On August 20th,
the department of Homeland Security had a hacker breach their telephone system.
The hacker managed to exploit a security opening in the system's voice mail when
it was upgraded by a system administrator. Over 400 calls were made to the Middle
East and Asia with an approximate cost of around $12,000.
While it seems that (DHS is not disclosing more details of the hack) the
classic oversight of using default password settings in the voice mail system
let to this exploit, the fact it happened to DHS and the calls were made to the
Middle East is fairly ironic. We cannot say with certainty whether the system
in question was VoIP based or whether it was using PSTN or IP based trunks, but
from a voice security perspective, this event clearly shows that everyone is
vulnerable to the simplest and most basic exploits regardless of the technology
we use.
From the voice security practitioner point of view, following industry best
practices such as changing default settings immediately after systems are put
into production or when there is a major upgrade to the components, is a common sense practice. And in another
bit of irony, in 2003 DHS issued a warning about this very vulnerability. However,
in practical situations, due to a human error or omission, the default
passwords often are left unchanged leading to potential exploits. The scope of
this problem is amplified by the fact that today’s PBX is a complex application
serving thousands of users with hundreds of features and multitude of options.
When managing multiple IP-PBXs, manual processes can’t effectively track the configuration details and is prone to errors and mistakes: such is the cast at DHS. An automated VoIP assessment and compliance management tool would enable administrators to track conformity with voice security best practices and security vulnerabilities in all stages of a PBX’s life cycle, including staging, day-to-day usage, upgrades, patching, etc. Such a tool, if used on a consistent basis, would prevent most of these problems from occurring. Whether this tool is used on an ad-hoc or periodic basis, it allows identifying most of common problems and mistakes made by the PBX users and administrators.
