The following two articles describes cases where a library and then FEMA VoIP PBX system were hacked, resulting in at least $15,000 and $12,000 of toll charges:
http://www.boston.com/news/local/articles/2008/07/27/library_phone_system_hacked/
http://news.yahoo.com/s/ap/20080820/ap_on_go_ca_st_pe/fema_phones_hacked
A couple of things strike me here. First, I haven't found exact details describing how the systems were hacked. The articles indicate it was through poorly configured DISA, perhaps through weak passwords. For those unfamiliar with DISA, it is a service, often integrated with voice mail, that allows a caller to generate an outbound call. If DISA is not secured properly, with good passwords and class restrictions that prevent international calls, a hacker can call in and "hair pin" a new outbound call. There is nothing new about this attack, it has been possible in TDM systems for many years and as we are probably seeing here, doesn't go away with VoIP.
Even if the hack wasn't through DISA, the attacks do show that application security issues, like toll fraud, still occur. Plus, they occur much, much more frequently than VoIP-specific attacks. Yes, there are many possible vulnerabilities in modern IP PBX systems, but published exploits don't exist for a lot of the them, and for even ones that do, they just aren't being abused yet.
At least for now, it makes a lot more sense to address issues like toll fraud first, than focus on theoretical threats that just haven't materialized yet. If anyone is interested in toll fraud mitigation, see my companies web site at www.securelogix.com.
Comments