PBX (Private Branch Exchange) is a private telephone network that handles an organization's internal and external communications. For external connections, the PBX connects to the Public Switched Telephone Network (PSTN) using a Telecommunication Service Provider (TSP) or an Internet Service Provider (ISP).
Hackers target PBX networks in ways that can impact the company. Using the PBX, they might place long-distance calls for free, leaving the company to pay the bills. Hackers might steal data or simply render the network unusable. Such hackers who specialize in hacking phone systems are called phreakers.
PBX hacking was traditionally done on analogue PBX systems using various methods. When IP PBX systems were introduced in the 1990s, hacking methods were adapted to these newer networks. There are many best practices that companies can follow to mitigate the dangers of PBX hacking.
Why is it important to know about PBX Hacking and its role worldwide?
PBX is a system connecting the communication lines such as switches, hubs, telephone adapters and routers. There are different types of PBX Systems from which digital PBX or IP PBX/VoIP PBX is preferred in the business phone systems.
According to the survey done by CFCA(Communications Fraud Control Association), around 2013-2017the cases of PBX and IP-PBX was the top five frauds that you can see in the table given in fig.1. In France, the PBX toll fraud losses in companies estimate $220 million a year. Even before 2013, PBX Hacking cases has been there since the switchboards introduction to the world.
Tom Mulhall, in his paper “Where have all the hacker gone”,1997, states that though it might look like hacking cases has deteriorated while they have migrated from computer hacks to PBX/Voicemail attack.
How does PBX Hacking affect the company or an organisation?
PBX Hacking/PBX Toll Fraud or PBX Fraud are some terms mentioned concerning phreakers cracking loopholes of the PBX System.
In different types of PBX Systems, some functions are the same like managing calls with also being connected with companies' systems that contain sensitive data(call records of customers). The system hacked through viruses or worms results not only the loss of sensitive data but an extra charge to fix the system. Also, there’s a possibility where the hacker can listen to phone conversations or voicemails or shut down PBX entirely.
After hacking PBX, phreakers usually make free long-distance calls or run call-sell operations from phone booths or private phones which builds a mode to generate funds illegally. By offering the calls for less than the actual cost to dial directly, the result is the companies owning that PBXs end up paying the bill.
It is also difficult to track these call-sellers as they hide their activities from law enforcement officials by PBX-looping(using one PBX to place calls out through another PBX).
What are the ways the PBX System can be hacked?
DISA and voice mail are classic ways for phreakers to penetrate the organisation PBX System. Also, DoS acts as one of severe attacks towards the PBX System.
- Brute force attack: It is a trial and error method until the password or log-in credentials or encryption keys.
- DISA and Voice Mails: DISA(Direct Inward System Access) is a service provided by PBX where the user’s dials into PBX and then give information for authorisation to use PBX service dial local user. The authorisation process comprises the user’s account, user’s password and callerID. Fraudsters with tricks and hacks try to obtain this information and retrieve it, which then helps them to use PBX to generate outbound calls. While in the voicemail, fraudsters plan to reach voicemail boxes, obtain passwords and retrieve them to gain access to the system.
- Denial of Service Attack(DoS): The denial of service attack makes telephony service unavailable by causing physical damage or software strategies and denying telephones to place or receive calls. It works by flooding networks with fake traffic or server request generated by machines compromised by viruses and malware.
What are the other famous ways for the PBX System to be hacked?
- Internal Enemy: One such example to comprehend the internal enemy is when the employee of that organisation forwards their work number to their private number either overseas or in their country, where for per call the organisation foot up the bill. In some instances, revenge (due to a poorly treated employee) becomes the cause for them to turn against the company.
- Poor Port Management: A poorly protected port linked with PBX can offer hackers a chance to create a “back door” into critical assets such as customer databases and business applications. Also giving them a path to target modem.
- Social Engineering: It is a technique where hackers just by impersonating or manipulating the person or the entire organisation get the sensitive data. One such example is Frank Abagnale, who is known as the infamous social engineer in history.
How the ‘SIP’ has an impact on IP-PBX?
SIP(Session Initiation Protocol) is a protocol that initiates a session in an IP network while aiming to provide functions(similar to traditional PSTN) over the internet. It deals with signalling messages, address resolution, user management and packet transfer and services and is as vulnerable as HTTP or any available service which is public on the Internet.
It can be easily hacked through DoS attacks where :
‘SIP Register Flooding’ attack happens to create traffic by sending streams of SIP REGISTER messages and ‘Call Flooding’ attack which is a way of forming traffic by sending streams of the SIP INVITE requests. These attacks make it difficult to get any legitimate calls.
SIP Injection attacks are also a way where phreaker exploit the SIP by injecting malicious code where Buffer Overflow attack, RTP(Real-Time Transport) Injection Attack and SQL Injection Invites are some examples.
Due to SIP not enforcing any SIP source message validation mechanisms, it creates an opportunity for the attackers to have their request processed without authentication, making a path for spoofing or modification of the SIP control messages.
How to analyse whether we have become the victim of PBX Hacking?
There are some indications to notify the victim whether they have been hacked:
- Overload occurring in the incoming and outgoing trunks.
- Sudden change of call patterns mostly the increase in international calls.
- Any kind of lengthy calls or calls to premium rate services during late-night hours or weekends and holidays.
- Any strange messages left in the voicemail boxes.
- Any signs of war dialing like short calls or wrong number calls or any sign of social engineering.
- Any kind leakage found with respect to the business secrets and sensitive data indicating that the phone conversations are intercepted(hacker listened to the phone conversation).
And lastly, webcams and microphones activate automatically in the case of VoIP systems.
What can we do to prevent them?
- A regular audit must happen in the organisation to assess its vulnerability to fraudulent exploit.
- In case of securing DISA, Call Detail Recording help in identifying call activity linked with individual authorisation codes, while also keeping limited print copies of these records.
- Always change security codes regularly, and give access limit of the administration of authorisation codes to some carefully chosen employees of the company or organisation.
- With help of control functions within the firewall control the traffic covering the subsystem, which will protect network resources and confidentiality of all traffics, also encrypting signal and media streams will increase the security level.
- A strong Firewall to evaluate SIP message contents for attacks and block non-SIP traffic.
- Regular maintenance and analysis of logs.
- Give PBX users Security advice like never leaving phone-set unlocked, not sharing any type of security codes and regular change of security codes should be done and never having any kind of sensitive data in the phone’s memory.
- Having strong passwords are always recommended.
- Channels or services that are not in use should be disabled.
- Further securing system VPN (in case of VoIP PBX) for remote access and enable endpoint filtering.
What techniques or tools do PBX vendors use to mitigate hacking?
Some of the PBX vendors have already working on providing any network security in their systems such as Network firewalls, DDoS(Distributed Denial of Service) prevention, network posture assessments and encryption during data transfer, while at the time while purchasing they try to brief all the risk of hacking and the ways you can avoid it.
There are certain analyses to see whether the provider is doing their part such as checking for accreditations(certificates to show whether the industry meets the security standards) like TEC certification, and prevention measures in the system to prevent hacking, also whether the regular updates are available and are they up to date and also look for call encryption.
At a time when telephone calls are routed via manual switchboards, two switchboard operators of the Bell Telephone Company intentionally disconnect or misdirect calls. Historically, this is probably the first attempt at hacking telephone networks. Hackers in these early days are simply practical jokers who don't cause serious damage. These operator hacks disappear once switchboards get automated in the 1890s via electro-mechanical switching.
MIT's student newspaper, The Tech, features an article titled Telephone Hackers Active. It describes how student hackers are occupying tie-lines between MIT and Harvard, or making long-distance calls for free. A PDP-1 computer searches for outside lines by listening for a dial tone. Some students are even expelled for this. Subsequently, the MIT phone system is updated to prevent calls over tie-lines.
In the U.S., a community of phone hackers begins to take shape during 1968-1969. About this time, the term phone freak comes into use. By the end of the decade, whistles and flutes are readily available to aid hackers. For instance, since the mid-1960s, Cap'n Crunch whistle that came with a box of cereals was used by hackers. It emitted 2,600 Hz, a useful tone for hacking. Years later, phone companies install digital filters to block this and other specific tones.
In June, a newsletter of the Youth International Party Line, uses the word phreek in its first issue. In October, an Esquire article titled Secrets of the Little Blue Box uses the term phreak in what may be the first published use of the term. The article describes how toll-free 800 numbers and a tone at 2,600 Hz could be used to occupy tandem lines and place long-distance calls for free.
For greater awareness, the NIST publishes NISTIR 4816, PBX Administrator’s Security Standards. This discusses the different techniques that PBX hackers use and what PBX administrators can do to mitigate them. These include setting passwords, educating users, protecting voicemails, monitoring PBX options, reviewing billing records and limiting outgoing international calls. A related publication from 2001 is NIST 800-24, PBX Vulnerability Analysis.
In the U.K., the National Computing Centre includes in its regular survey report a new item name "PBX hacking" that has cost organizations £10,000. Although computer hacking dropped from 29.7% (1987) to 8.8% (1993), it's clear that hackers have simply moved to hacking PBX and voicemail systems. This is the result of traditional PBX systems giving way to IP PBX systems.
Four hackers in the Philippines are arrested for PBX hacking funded by a terrorist organization. The phreakers used PBX systems to call Premium Rate Service (PRS) numbers. The revenue from this was split between the phreakers and the terrorists. One of the phreakers had previously hacked PBX systems by exploiting default passwords and unused extensions. He and his associates then offered long-distance call services to customers at low rates, placing calls worth $55 million during 2005-2008.
A Pakistani national named Qasmani is arrested for scamming American telecom companies to the loss of $19.6 million during 2008-2012. Qasmani has been an active phreaker since the late 1990s. He and his associates exploited unused extensions of PBX systems and placed calls to pay-per-minute PRS numbers that they had set up. In June 2017, he's sentenced to four years in prison.
- Almeida, Fernando, and Justino Lourenço. 2011. "Security Issues in Unified Communications." International Journal of Research and Reviews in Computer Science, Kohat University of Science and Technology, vol. 2, no. 2, pp. 403-409, April. Accessed 2021-12-16.
- Androulidakis, Iosif. 2012. "PRETTY (Private Telephony Security) - Securing the private telephony infrastructure." Information and Security, ProCon Ltd., vol.28, no. 1, pp. 89-97. Accessed 2021-12-19.
- Androulidakis, Iosif I. 2016. "VoIP and PBX Security Forensics: A Practical Approach." Second Edition, Springer Briefs in Electrical and Computer Engineering, Springer. doi: 10.1007/978-3-319-29721-7. Accessed 2021-12-23.
- Bai, Julie. 2020. "VoIP Hacking: How it works and How to protect your VoIP phone." Nextiva Blog, August 14. Updated 2022-01-21. Accessed 2022-01-02.
- Baraniuk, Chris. 2013. "Whatever Happened to the Phone Phreaks?" The Atlantic, February 21. Accessed 2022-02-04.
- Barbier, Lola. 2016. "PBX: What Is a PBX Phone System?" Blog, Aircall, October 14. Accessed 2021-12-26.
- CFCA. 2019. "Fraud Loss Survey 2019." Version 1.0, Communications Fraud Control Association. Accessed 2022-01-05.
- Condat, Jean-Bernard. 1994. "Toll Fraud on French PBX Systems." Computer Law & Security Review, vol. 10, no. 2, pp. 89-91, March–April. doi: 10.1016/0267-3649(94)90106-6. Accessed 2021-12-15.
- Continuant. 2018. "What is a PBX?" Continuant, on YouTube, November 15. Accessed 2022-02-03.
- El-moussa, Fadi, Parmindher Mudhar, and Andy Jones. 2010. "Overview of SIP Attacks and Countermeasures." In: D. Weerasinghe (Ed.), ISDF 2009, LNICST 41, Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, pp. 82–91. doi: 10.1007/978-3-642-11530-1_10. Accessed 2022-02-01.
- FBI. 2017. "Dialing for Cash." News, FBI, July 6. Accessed 2022-02-04.
- Gallagher, Sean. 2011. "How Filipino Pherakers turned PBX systems into cash machines for terrorists." Ars Technica, November 30. Accessed 2022-01-05.
- Hoath, Peter, and Tom Mulhall. 1998. "Hacking: Motivation and Deterrence, Part I." Computer Fraud & Security, Elsevier, vol. 1998, no. 4, pp. 16-19, April. doi: 10.1016/S1361-3723(97)86611-0. Accessed 2022-01-16.
- Hur, Johnson. 2014. "History of PBX - From 1978 to Present Day IP and Hybrid PBX." BeBusinessed, June 22. Updated 2017-11-17. Accessed 2022-02-03.
- IPComms. 2017. "11 Steps to Secure your PBX? (Don’t be a victim to telecom theft)." IPComms, May 21. Accessed 2022-01-01.
- Johnson, Simone. 2019. "What is a PBX System?" Business News Daily, October 2. Updated 2021-12-01. Accessed 2021-12-28.
- Koi-Akrofi, Godfred Yaw, Joyce Koi-Akrofi, Daniel Adjei Odai, and Eric Okyere Twum. 2019. "Global Telecommunications Fraud Trend Analysis." International Journal of Innovation and Applied Studies, vol. 25, no. 3, pp. 940-947, February. Accessed 2022-01-17.
- Kuhn, D. Richard. 2001. "PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does." NIST Special Publication 800-24, National Institute of Standards and Technology, April. Accessed 2022-02-04.
- Lapsley, Phil. 2010. "More on the Origin of 'Phreak'." The History of Phone Phreaking Blog, April 4. Accessed 2022-02-04.
- Lichstein, Henry. 1963. "Telephone hackers active." The Tech, MIT, vol. 83, no. 24, November 20. Accessed 2022-02-04.
- MYVOIPAPP. 2022. "Direct inward system access (DISA)." MYVOIPAPP. Accessed 2022-01-12.
- Mcinnes, and Wills. 2021. "The VoIP PBX Honeypot Advance Persistent Threat Analysis." In Proceedings of the 6th International Conference on Internet of Things, Big Data and Security (IoTBDS 2021), SCITEPRESS – Science and Technology Publications, pp. 70-80. Accessed 2022-01-31.
- Merriam-Webster. 2022. "Phreaker." Dictionary, Merriam-Webster. Accessed 2022-02-03.
- Mulhall, Tom. 1997. "Where Have all the hackers gone? Part 5 - Conclusions." Computers & Security, Elsevier, vol. 16, no. 4, pp. 304-306. doi: 10.1016/S0167-4048(97)80194-0. Accessed 2022-01-18.
- Onion, Rebecca. 2013. "Early Hackers’ Supersecret Spyware: Toy Whistles." Slate, February 1. Accessed 2022-02-04.
- Pollard, C. 2005. "Telecom Fraud: The cost of doing nothing just went up." Computers & Security, Elsevier, vo. 24, no. 6, pp. 437-439, September. Accessed 2021-12-17.
- Roback, Edward. 1992. "PBX Administrator's Security Standards, Developed by the Federal Deposit Insurance Corporation." NIST Interagency Report NISTIR 4816, National Institute of Standards and Technology, April. Accessed 2022-01-04.
- Rosenbaum, Ron. 1971. "Secrets of the Little Blue Box." Esquire, pp. 117-226, October. Accessed 2022-02-04.
- University of Florida. 2020. "A Brief History of Hacking from the 1960s to 1990s." Brewminate, July 16. Accessed 2022-01-02.
- VoIPstudio. 2020. "5 signs that your VoIP phone system has been hacked." Blog, VoIP\Studio, February 11. Accessed 2021-12-30.
- Yu, James. 2016. "An Empirical Study of Denial of Service(DoS) against VoIP." 2016 15th International Conference on Ubiquitous Computing and Communications and 2016 8th International Symposium on Cyberspace and Security, IEEE, December 14-16. doi: 10.1109/IUCC-CSS.2016.016. Accessed 2021-12-21.
- Voximplant. 2020. "PBX Phone System Guide." Voximplant. Accessed 2021-12-29.
- Dinardi, Gaetano. 2019. "PABX vs. PBX: There’s Only One Difference." Nextiva blog. Accessed 2022-01-03.
- ActivePBX. 2012. "Finding a Top Office Phone System Vendor." ActivePBX. Accessed 2022-01-05.
- Androulidakis, Iosif. 2008. "On an Integrated PBX Infrastructure Security Programme." Advanced Topics in Telecommunication, 61-70, Baltic Conference. Accessed 2021-12-22.
- Direct Inward System Access
- Voice over IP
- Private Branch Exchange
- Session Initiation Protocol
- Network Security
- Ethical Hacking