But how do they do it?
What are the most common methods used by criminally inclined and technically skilled hackers (crackers)?
What happens during a break-in?
To gain access to a telephony system, crackers need the password of the device they are targeting. To get this password and successfully compromise an IP PBX system, the hackers identify an IP extension on the network and then bombard this device with different passwords in the hope that one of them is correct. This sounds pretty futile, but many users do not change their default passwords. Also, hackers can send thousands of passwords to an extension in a matter of minutes. In many cases, it doesn't take long for the hackers to guess the right password and log into the IP-PBX system. Or they find vulnerabilities in a system so that they can bypass or overwrite the password requirements, or they use phishing methods, e.g. by posing as an IT administrator, to obtain passwords.
Unfortunately, the number of threats to networks is increasing, and a cursory search reveals an ominous list of malicious attacks such as
- "Brute Force",
- "Man in the Middle",
- “DDoS” (Distributed Denial of Service) and
- "Spoofing",
all of which pose a serious threat to unsecured communication.
Once a cracker has access to the system, there are many ways to bring down the IP telephone network and potentially deprive the company of large sums of money. One of the most common, and indeed most damaging, attacks involves professional criminals connecting an entire call centre to the compromised network port and rerouting thousands of calls through that one port in a short period of time. Depending on how the IP PBX routes its calls and how regularly the company receives its bills, this activity can go on for months before it is discovered, driving up the phone bill astronomically.
While this is the primary approach for crackers and fraudsters to exploit a poorly protected system, weak passwords and a lack of encryption in an IP PBX infrastructure can also open the door to other types of malicious activity. For example, the computerised structure of IP telephony makes it much easier than landline phones to surreptitiously record internal conversations. Instead of having to install a physical device, calls can simply be recorded with the right software. Often this type of threat comes from an employee within the company, making it difficult to protect against. If a company is using an unencrypted VoIP protocol, there is no barrier to prevent calls from being recorded. Even if the threat does not come from an employee or from outside groups with an interest in recording a company's phone calls, a Trojan could be used to install the recording tool. It gets even worse if the phone is used to penetrate the company network - the entire server structure, like a burglar entering a house via the basement.