If you're not looking after your PBX, maybe this guy is.

I was getting caught up with the industry news over the weekend when I came across this post from Tom Keating about his Asterisk phone system getting hacked.  Asterisk is an amazing tool for people who want to do anything with telephony .. my CTO calls it the Swiss Army Knife of VoIP products.  Along with all that customization and capability, also comes the possibility for it to be a system administration nightmare.

If you are a small businesses who was sold an on-premise Asterisk system to run your business phone system, it’s important to remember that it needs attention.  It’s not just something that you can stick in the closet and forget about.  There are upgrades and security patches to install, along with log files to check for fraud.  Running your own Asterisk server might expose you to unplanned risk if you’re not careful.  Unsecured Asterisk servers are a target for fraudsters because they know how to terminate calls to areas of the world where they can make money from the call.  Our infrastructure gets scanned on a regular basis looking for vulnerabilities, and we don’t even run the free open-source Asterisk software that they are likely looking for.

Hacking phone systems (or Phreaking, as it is known) has become so popular that it has it’s own Wikipedia page.

This Wired article about a Canadian Computer Security Firm is a bit dated, but the information is still relevant today, and goes to show you that even security experts often overlook the phone system as a possible loss risk.  I’ve read numerous times over the years about unsuspecting companies that received bills of $10,000, $50,000 and even $100,000 and more when a hacker gains access and is able to terminate calls to places like Africa and Eastern Europe undetected. The longer this goes on without your knowledge, the larger the bill you will receive from the telephone company.  Some are smart and will just slowly place calls over a long period of time, so that they don’t trigger any alarm bells.

With Versature’s managed service, customers are protected from toll fraud in a number of ways:

  • We restrict calls to high cost areas, and areas that are known for fraud, unless the customer decides to allow their staff to call those areas.
  • We audit our system on a regular basis looking for easily cracked passwords and provisioning mistakes that might lead our system to be compromised.
  • We restrict the number of calls per extension, which would slow down the hacker if they somehow gained access.
  • We monitor all activity on our Hosted service and automatically look for fraud patterns, even (and especially) over the weekend, when this type of activity seems to be the most popular.

In conclusion, Tom’s experience with Asterisk is not unique.  Being in the industry, I know that there are many incidents of office phone system hacking that result in a loss for the company, that go unreported.  If you are running your own phone system, stay vigilant, or outsource it to a company like Versature that has the resources in place to combat this type of activity.