Tuesday, October 06, 2009

Phone Phreaking No Different Today Than Yesterday

Remember when they were called phone phreaks? Maybe I'm dating myself, but that was back in the 70s (maybe earlier?), when they used different colored home-made toys called blue, black and red boxes.

Those were the tools of yesteryear pre-dating electronic switching, when data and computer commands ran on the same voice lines.

Well, they're back and actually doing better. In fact, I think, they never really went away. But now with the growth of phone service over the Internet, like VoIP, they can use a lot of the same tools and techniques for hacking phone services, as they can for cracking the Internet.

Also, unlike the phreaks of the past, who did it for fun, now they're organized into multinational syndicates stealing phone services on one country and diverting it -- for a fee of course -- to homesick immigrants in other countries wanting discounts on their international calls, according to this Network World article.

There are four weaknesses in phone configurations that trip up IT managers:

  1. Weak user authentication and access control -- Companies often don't extend the same protections, like two-factor authentication, to their VoIP phone networks.
  2. Relying only on session border controllers and media gateways for security -- During the handoff between networks and SIP trunks running phone services, application level security is needed to protect from phone attacks.
  3. Inadequate virtual LAN separation and control -- The use of Virtual LANs (VLANs) to logically separate voice and data traffic isn't adequate to prevent an attacker from breaching the VLAN.
  4. Inadequate use of encryption -- What else is new? This is simply not encrypting traffic over internal networks. Even if encrypted over public networks, when it enters the company networks, it still needs to be protected.


Anonymous Penetration Testing said...

The funny thing is most organisations don't think the threat is real, they see a phone as a commodity you plug in and use - not something that needs to be secured. Most organisations only take notice when their bill patterns suddently change erratically.

6:41 PM  

Post a Comment

<< Home