As technology innovations are becoming more popular more and more businesses have access to advanced IT infrastructure, such as onsite IP PBX systems. The wide spread of easy to install equipment and open source software has determined them to switch to in-house setups, depending less on their service providers. However, VoIP service providers have complex security measures in place; in this situation businesses have to implement new security layers that are meant to protect their business phone systems from being hacked and taken advantage of.
Telephone hacking is caused by the unauthorized access of a third party to a PBX or VoIP Gateway, most often with the purpose of placing high amounts of calls using the hacked system, which is why an automated dialer is used.
To help you protect the security of your communications and that of your budget, we have put together a guide exemplifying the means to attack a VoIP phone system and the measures to be taken to prevent, but also to handle such a breach.
How do you know if your PBX system has been hacked?
First of all, if your SIP Trunks are from a reliable VoIP service provider, it will identify the anomaly in your traffic and notify you immediately, but it is not always guaranteed that it will happen in real time. To identify them in a timely manner from your side, download and analyze call logs from your provider’s database periodically.
- Very long duration calls, significantly higher than your usual duration;
- Business extensions being forwarded to international destinations;
- High amount of calls in a short period of time might indicate the use of an automated dialer;
- You identify calls to high cost destinations, usually international;
- You notice calls being made outside your business hours.
Your employees require access to a PBX’s configuration to make changes, additions or updates. However, there is a high chance of this sensitive information to be shared by your employees, kept in insecure conditions or even used to harm your business upon the employee’s departure.
Limit the access to the sensitive information to trusted employees only, who will be contacted by other team members for changes. If additional access is needed, implement multiple layers of access rights, so employees who need to make smaller changes do not have access to the entire setup. Once one of the people having access to settings stops working within your organization, remove their credentials, or change them.
Default settings and passwords
If your VoIP equipment has not been configured with custom usernames and passwords, it becomes an easy target for attackers as credentials are widely available online.
Ensure that your IP PBX or VoIP gateway, but also IP Phones, ATAs and Softphones do not remain configured with their factory credentials. Do not allow your employees to use easy passwords like 12345 etc. As hackers look for users of the PBX and initiate automated brute force attacks by sending continuous login requests to your system, until the correct username and password is found.
Third parties might attempt to gain access to your settings and use your phone system for fraudulent activities by persuading employees to give out confidential information.
In case you intend to work with IT companies for installation or support, research them and ensure that they are reliable. Also, ask for instructions on how to change all the access settings, so that you can change the usernames and passwords once installation, maintenance or troubleshooting is completed by the consultant.
Hackers might attempt to gain access to your settings by attacking others of your communication systems. The most common are email and IM, as well as online cloud storage (internal or others like Google Drive).
Your additional communication systems also need protection. Use encrypted emails to avoid them being intercepted, and secure your cloud storage with complex passwords. Also, avoid transmitting confidential information related to your PBX access all at once; if it’s really necessary, break the information and share pieces of it via various communication systems.
One element that might turn your IP PBX into a vulnerable one is the open service ports.
Ensure that only the necessary ports for VoIP communication are open on your PBX or router/firewall.
In any of the above cases please block all outgoing traffic on your PBX to stop more damage from being done. Keep in mind that usually VoIP service providers state in their terms and conditions that the customer will be responsible for all traffic emanating from their phone lines, so you will be expected to pay for the calls, even if they were not made by your organization. If you do not require international calling, it is best that you ask your VoIP provider to disable that option.