Most PBX systems have an adjunct server or two, providing voice messaging or call center functionality that isn’t part of the core PBX switching capabilities. The larger and more complex a network gets, the more demanding traffic becomes to the underlying hardware. Given the modularity of voice networks, we can offload some of this functionality to other hardware that can be set to handle a specific task, rather than attempt to do everything itself. Of course, this also complicates the overall security model, so make sure you know how this offloading impacts security.
Voice Messaging
It’s hard to remember that voicemail was once a completely optional capability for PBX systems, but it’s still implemented as a separate server by most vendors using analog, digital, or IP trunks to integrate with the PBX. Some settings on that voice messaging server can open the door to fraud and abuse, so be sure to follow manufacturer recommendations for security—especially when it comes to changing default administrator passwords! Are mailboxes using strong enough PINs? Are old mailboxes closed down? Make sure you can answer these questions.
Notes from the Underground
—Voice Messaging: Swiss Army Knife for Hackers?
Voice messaging is not without its share of security considerations, though. Many vendors ship voice mail systems with default passwords installed, which some users opt to never change. These passwords are often as simple as the number of the voice mailbox itself, or a simple string of numbers like 12345. Hackers love it when it’s this easy to get in. But that’s only the beginning when it comes to security attacks you may need to protect against within your voice messaging systems, Here are a few other scenarios:
- When attackers gain control over a compromised PBX system that supports DID and voice-mail, they might change the outbound greeting to something like “Hello? Yes, yes, that’s fine.” Or just “Yes (pause) yes (pause) yes ” They then call that number collect and the operator hears what appears to be someone more than willing to accept charges! Some PBX and voice-mail systems send a special tone when a line is forwarded to voice-mail that may discourage this tactic since a savvy operator would recognize the tone. Does your organization know what’s happening with old or unused mailboxes?
- Another security issue can arise when mobile phone providers offer voicemail to their subscribers, but don’t require a password to access messages when the voicemail server receives the subscriber ANI (indicating that subscriber is calling from the mobile phone associated with that extension). But by offering their users the “convenience” of quick access to their messages, these carriers may be opening the door to eavesdropping through ANI spoofing ] unless they have other means of verifying the origin of a given call.
- Eavesdropping on potentially confidential messages is certainly a threat, but an attacker may potentially hijack phone calls intended for a victim as well. This can be done by changing their outbound message greeting to say “Hi, this is Corey. Please call me at my new number at ” and leave a number that they control, performing a man-in-the-middle attack on the intended recipient.
- Another successful social engineering technique involves leaving messages within a voicemail system requesting passwords (for “testing” or “administrative purposes”) on another internal extension, lulling the victim into believing that the attacker is a legitimate employee at the target company.
- The latest voice-messaging systems can be used to read e-mail using text-to-speech. Attackers know that a PIN for the voice messaging system is easy to guess, and this may be the easiest way for them to get to an email system.
- And don’t forget toll fraud that can happen through out-dial capabilities on voicemail systems. Consider turning off this feature if it isn’t needed in your organization. Associated risks can also be mitigated through carefully crafted PBX dial policy.
Interactive Voice Response Servers
Perhaps you first can into an IVR when you noticed an incorrect charge on your phone bill, and you decide to speak with a customer service representative to clear things up. But when you dial the toll-free number on the bill, you’re greeted with a labyrinth of options allegedly to help you self-navigate to the appropriate agent. This maze of menus is brought to you through an Interactive Voice Response (IVR) system. An IVR is a series of recorded greetings and logic flows that provide a caller with a way to route through the phone system as a means of convenience. Personal feelings about speaking with a recorded voice aside, IVRs are actually a pretty clever way of providing a caller with speedy call placement, taking much of the burden away from agents or operators.
Today’s latest-generation IVR systems are built on VoiceXML interpreters, and may have sophisticated development environments. IVR security is a largely unexplored topic since each IVR system is like a unique application, but we occasionally hear about poorly written IVR applications that are insecure or not sufficiently robust.