Toll-free PBX hack highlights need for code auditing

"What this case shows is that, although the PBX supplier may have verified the security of the front line telephony interface on its PBX systems software, the hackers were able to break in via the side door effectively offered by the toll-free number," said Richard Kirk, Fortify's director.

"This is because a growing number of toll-free service providers support access to the direct dial inwards numbers seen on the PBX systems of small-to-mid-sized enterprises," he added.

And, said Kirk, since these DDI numbers are mapped directly on to PBX extensions, the security levels on this side door method of access is often a lot less than the front door, the firm's main telephone number.

Of course, he explained, what makes matters worse about this hack is that the firm ended up paying for the hackers' incoming calls to its toll-free number, as well as the subsequent calls to foreign destinations.

According to Kirk, the case proves that hackers can - and will - exploit the weakest link in the security of any public-facing computer system, whether that system if it is internet or telephone network-facing.

"It's therefore vitally important for any code developers working on such a system, whether it's PBX systems software, or an e-commerce application, to secure the side door entrances, as well as the front entrance," the Fortify director said.

"Just because the side door is not directly accessible at the moment, does not mean it won't become accessible at some time in the future, as new features and services are added to the software. Code auditing requires the use of lateral thinking in this regard," he added.

What’s Hot on Infosecurity Magazine?