Tech Talk

PBX System Hacking and Misuse

Many businesses today are still using traditional Private Branch Exchange (PBX) or IP-PBX phone systems, and they do prove to be a great telecom solution given their breadth of functionality and scalability. However, there are risks involved of which it is important to be aware.

A compromised phone system can lead to unwanted calls being targeted directly at end users and can also be extremely costly. Fraudulent or unauthorised calls may result in bills in the region of tens of thousands of pounds, and unfortunately there is often no way to get out of paying them. It is your responsibility to ensure your systems security, whether you do this internally or outsource responsibility to a service provider.


Due to the broad range of possible attacks and misuse, I won’t try and cover every possible scenario – but I will quickly highlight 6 of the most common examples and how you can protect your business.

1. Internally launched hacks

Internal hacks are rarer than remote ones due to the fact the attacker needs direct access to your hardware. This is made difficult by onsite PBXs usually being located in the server / comms room, or in some other area inaccessible to the public.

To avoid this type of hack, make sure your system hardware is located in a secure area where access is tightly managed and monitored.

2.Remotely launched hacks

On older phone systems, remote management often takes place through an ISDN connection. Due to the nature of ISDN, systems are open to connections from any phone number and rely on usernames and passwords for security. Hackers can call into an extensions’ voicemail and then use the default password for access if it hasn’t been changed. In these situations, be sure to create new administrator accounts with new passwords and remove system default ones.

On newer IP phone systems, management tends to take place through a web-based interface accessible via the internet. In these cases, should external remote access be necessary, there is much more scope for securing access. If the system is to be accessed directly on a public IP, it is possible to lockdown the firewall to only allow traffic from specific IP addresses or ranges.

Alternatively, access to the network could be controlled by requiring a VPN prior to reaching the PBX, thus adding a second layer of security. Once again, default accounts and passwords should be rotated or removed.

3.Unsecured SIP extensions

Most IP phone systems either use SIP protocol exclusively, or also use a propriety protocol. SIP extensions are a lightweight protocol and there are numerous soft clients available for both computers and smart phones – but this can cause issues.

SIP has optional security settings which can be configured to require a password when connecting to a PBX, or be limited to having to come from specific IP addresses. However an inexperienced or complacent administrator may fail to implement these.

Inside a secured IT environment it could seem ok to omit these security options, but it would only take a single tech savvy user to install one of these SIP clients on their mobile, start guessing at extension numbers and get lucky. It happens.

The truly dangerous side emerges when firewall ports have been opened either intentionally or by accident, allowing a wider range of possibilities for attackers. They could exploit and create SIP clients outside of your LAN in order to reach the phone system. Once registered, the attacker now has an extension on the system capable of making malicious calls. This is similar to the previously mentioned issues, but now completely bypasses the physical security of your office. In this case you then have a phone attached to your phone system which you have no way to physically locate. To stop the attack, it would require your whole system to be locked down, which for any business is a complete disaster.

4.Unauthorised use of extensions to place long distance or call premium rate calls

This is one of the oldest issues in the book. An unscrupulous person with access to a handset, usually a member of staff working out of hours, using the system for personal calls.

In one more elaborate example I’ve encountered, a staff member would take after hours calls from a friend who wanted to talk to her boyfriend in another country. She would forward her friend on to the boyfriend’s international number, so her employer would end up with the bill for the international calls.

This one can easily be resolved. Most PBX systems have a class of service (COS) system which allows the administrator to restrict the call categories that can be dialled by each extension. It also allows for a day and night mode, so normal service can be provided during the day but out of hours calls can be restricted. Whether that is disallowing specific single numbers, ranges of numbers, or even setting it so that only certain numbers can be dialled at all.

5.Forwarding to external numbers

This is similar to the previous example in that an extension is set to forward to an external number. Sounds innocuous, but if the number(s) the fraudster is calling are scam lines set up with either a premium rate or some sort of connection charge, then the charges you receive will add up very quickly.

As with the previous example, this can be neutralised by restricting the destinations can be dialled with COS, different COS settings can be implemented to prevent unnecessary numbers from being dialled during working hours and to lock the system down further out of working hours.

6.Mobile attacks

While not directly related to PBX hacking or misuse, this is a related issue definitely worth mentioning. Say we have an employee who loses their company mobile phone but doesn’t report it right away. The phone makes it into the hands of someone with an autodialer, which they set up to call high cost numbers. This results in a very large mobile phone bill in no time at all.

In one case I saw this happen to a customer who had been sent to South Africa and lost their company mobile on a Friday afternoon. Between then and Monday morning when they reported the loss, the resulting bill stood at close to £50,000. In recent years new regulations have come into effect within the EU which limits these sorts of issues within the EU but in the rest of world this can still be a real worry but the bill can still be sizeable before any alerts are flagged up.

Even if a mobile handset hasn’t been stolen, users can still innocently use their work phone abroad and rack up significant call charges without realising.

This one can be minimised by good practice in terms of staff reporting a lost or stolen phone as soon as it happens. It would also be advisable to have arrangements in place with the network provider to place caps on the allowable spend per day/week/month in order to mitigate potential costs.

To summarise, I’ll say it once again, never leave a PBX on the default username and password. These details will be common knowledge to other people who work with the same kit and are now often available on the internet through a simple google. Never open your PBX up to the outside world unless you absolutely have to. If you do have to open access, lock down who can talk to it.

For example, if you outsource support of your PBX system to a third party who want to access it through a public IP, ask what IP address or range will they be coming from. Firewalls can restrict inbound traffic unless it is coming from stated addresses.

One last point worth thinking about is what additional fraud protection features do you have access with regards to the phone lines themselves?

On Traditional ISDN trunks there isn’t that much available, daily call levels might get looked at by a member of a provider’s fraud management team however it relies on a human being spotting it. With a small team managing many circuits this isn’t much peace of mind.

The newer technology of SIP trunks can have daily and weekly spend caps and percentage warnings built directly into the technology, these automated systems are always watching and keeping track of the spend as each call ends.

Anything else you can do?

• If you are using SIP trunks ensure that the daily and weekly spend caps are set
• Test the system and security protocols, regularly
• Add extra layers of security where possible
• Set up Class of Service policies to restrict what extensions are capable of dialling and when
• Consider if some sort of more active monitoring, call recording / wallboard may be suitable for your needs

If there is any aspect of your system you are not internally equipped to properly manage then I would strongly recommend you contact a service provider who can advise and manage it for you.

Mother provides telecom services and phone systems to businesses in Aberdeen and across Scotland. If you’d like to learn more about how Mother can help you with any aspect of your phone system, please get in touch.

Andrew Nunn - Systems Engineer

Interested in our services?

Call us now ... we'll be happy to help with your enqury