Search NIST's ICAT
By Richard Kuhn
Hacker attacks on computer networks are well known, but Private Branch Exchange (PBX) systems are also vulnerable. In one case, a hacker penetrated the Private Branch Exchange (PBX) system operated by a hospital in Escondido, California. For nearly two years, on various occasions, he blocked calls to and from the hospital, connected hospital operators to spurious numbers (including the county jail), and placed bogus emergency calls that appeared to be coming from inside the hospital.
Unfortunately, the hospitalís experience is not unique. Failure to secure a PBX system can result in exposing an organization to toll fraud, theft of proprietary, personal, and confidential information, loss of revenue, or legal entanglements. Depending on how the organizationís network is configured and administered, information leading to intrusions of data networks may be compromised as well. A PBX is a sophisticated computer-based switch that can be thought of as essentially a small, in-house phone company for the organization that operates it. Protection of the PBX is thus a high priority. This bulletin introduces some of the vulnerabilities of PBX switches and describes some countermeasures that can be used to increase the security of your PBX. For a more detailed treatment of these issues, see NIST Special Publication (SP) 800-24, PBX Vulnerability Analysis (see http://csrc.nist.gov/publications/nistpubs).
Digital PBXs are widespread throughout
government and industry, having replaced their analog predecessors. Today,
even the most basic PBX systems have a wide range of capabilities that
were previously only available only in large-scale switches. These new
features have opened up many new opportunities for an adversary to attempt
to exploit the PBX, particular mostly by using the features for a purpose
that was never intended. The threats to PBX telephone systems are many,
depending on the goals of attackers. Threats include:
PBXs are sophisticated computer systems, and many of the threats and vulnerabilities associated with operating systems are shared by PBXs. There are two important ways, however, in which PBX security is different from conventional operating system security:
Maintenance procedures are among the most commonly exploited functions in networked systems. The problem is even more acute with PBXs because PBX maintenance frequently requires the involvement of outside personnel. Ways in which an adversary could exploit vulnerabilities in maintenance features to gain unwanted access to the switch follow.
Special Manufacturers Features
There may be features that the manufacturer will rely on in the event a customerís PBX becomes disabled to such a point that on-site maintenance personnel cannot resolve the problems. The manufacturer could instruct the maintenance personnel to configure and connect a modem to the maintenance port. The manufacturer may then be able to dial in and use certain special features to resolve the problems without sending a representative to the customerís location. The potential cost savings is a primary reason for adding such special features. A switch manufacturer would not want the special features to be well known because of their potential for misuse. These types of features may be accessible via login IDs and passwords held privately by the manufacturer. Some possible special features are listed below:
Dial-Back Modem Vulnerabilities
Unattended remote access to a switch clearly represents a vulnerability. Many organizations have employed dial-back modems to control access to remote maintenance facilities. This access control method works by identifying the incoming call, disconnecting the circuit, and dialing the identified person or computer at a predetermined telephone number. Although helpful, this form of access control is weak because methods of defeating many dial-back modems are well known.
Administrative databases represent ďthe keys to the kingdomĒ for a PBX. Among the most critical security tasks for PBX owners are administration of the PBX, the creation and modification of its user databases, and the operating software controlling the switch.
Most PBXs grant administrative access to the system database through an Attendant Console or a generic dumb terminal. Username/password combinations are often used to protect the system from unwanted changes to the database. If remote access to the maintenance features is available, some form of password protection usually restricts it. There may be a single fixed maintenance account, multiple fixed maintenance accounts, or general user-defined maintenance accounts. The documentation provided with the PBX should state what type of maintenance access is available.
Passwords may also be set to factory default values that can be changed by the user. Default values are typically published in the documentation provided with the PBX. If there are multiple maintenance accounts and maintenance personnel use only one, the others may remain at their published factory settings. Anyone who knew the factory default settings could then gain access to the switch.
Physical access to the PBX hardware grants access to the software, the configuration database, and all calls going in and out of the PBX. With access to the PBX, an adversary could exploit practically any conceivable vulnerability.
The type of media on which the software and databases are stored is important to a PBXís physical security. If these are stored on ROM-type devices or on an internal hard disk, it is more difficult to gain access to them than if they are stored on floppy disks or CD-ROM. ROM devices are mounted on circuit boards and may be soldered rather than socketed, making removal and replacement difficult. Likewise, an internal hard disk is probably mounted internally and bolted to the chassis, making removal and replacement difficult. However, floppy disks are easily removable and replaceable. An adversary with access to the floppy disks could easily conceal a disk containing modified software/databases, gain access to the PBX, and replace the original disk with the modified disk. Similarly, CD-ROMs can be easily removed and replaced. Since equipment for creating CD-ROMs is readily available, an adversary may find it equally easy to copy and modify a CD-ROM-based system.
If the PBX supports configuration and maintenance via a dumb terminal, the terminal may be located near the PBX. If the terminal is not at the same location as the PBX, the terminal port is still available and could be used by an adversary with a PC acting as a terminal.
Some PBXs may be configured as a central system unit with peripheral units at remote locations. The remote peripheral units may also support configuration/maintenance via a dumb terminal and therefore have the same vulnerabilities as the system unitís terminal. Also, all calls routed through a particular peripheral unit are accessible to someone with physical access to the peripheral unit.
Attendant Consoles may offer access to PBX maintenance and configuration software. Special features may also be available to Attendant Consoles such as Override, Forwarding, and Conferencing. If any of these features are available to the user of an Attendant Console, physical access to it should be restricted to prevent giving an adversary access to these features.
Most PBXs have an attached system printer. Various information may be output to the printer including source and destination of calls that are made or received (possibly every call), access codes used to access certain features, account or authorization codes used for making special calls, etc. Access to these printouts could provide information enabling toll fraud or other compromises.
A very useful but potentially vulnerable feature of many PBXs is remote administrative access. The PBX may allow an administrator to make changes to the system configuration database through an Attendant Console or from a terminal that is not physically located near the PBX, perhaps over a dial-in line with a modem.Remote Access via an Attendant Console
The degree of the vulnerability created by remote access via an Attendant Console is determined by several factors: password access, physical connection of the Attendant Console to the PBX, and availability of administrative features through the Attendant Console.Remote Access via a Terminal
If a standard dumb terminal can be used for access to the administrative features, more opportunities become available for an adversary to gain unwanted access. A modem could be connected to a terminal port and an outside dial-in line allowing easy access for the PBX administrator to do remote configuration and maintenance. Unfortunately, it also gives easy remote access to an adversary. By setting up remote access in this manner, a poor password protection system, the existence of ďbackdoorsĒ (e.g., a special key sequence that would bypass required authorization levels), or the use of easy-to-guess passwords would seriously undermine the security of the system.
Software Loading and Update Tampering
When software is initially loaded onto a PBX and when any software updates/patches are loaded, the PBX is particularly vulnerable to software tampering. An adversary could intercept a software update sent to a PBX administrator. The update could be modified to allow special access or special features to the adversary. The modified update would then be sent to the PBX administrator who would install the update and unknowingly give the adversary unwanted access to the PBX.
An adversary may be able to exploit vulnerabilities in a system's features and the way in which features can interact. As with many aspects of information technology, the proliferation of features that make PBXs easy to configure and use has led to an expansion of vulnerabilities. Many of these are inherent in the features themselves or arise out of feature interactions, making them difficult to avoid. This discussion illustrates some of these vulnerabilities so that administrators will be able to weigh the risks of features against their benefits.Attendant Console
Attendant Consoles typically have more function keys and a larger alphanumeric display than standard instruments to support the extra features available to the Attendant Console. The Attendant Console may be used for access to maintenance and administrative functions, but there are potential vulnerabilities of the Attendant Console with respect to maintenance and administration. Some typical features available with an Attendant Console are Override, Forwarding, and Conferencing.Attendant Override
Attendant Override is intended to allow the Attendant to break into a busy line to inform a user of an important incoming call. An adversary with access to an Attendant Console could use this feature to eavesdrop on conversations. The PBX should provide for some protection against such uses of Override by providing visual and/or audible warnings that an Override is in progress.Attendant Forwarding
A common feature granted to the Attendant is the ability to control forwarding of other instruments. An adversary with access to the Attendant Console could use this feature to forward any instrument's incoming calls to a long-distance number. The adversary could then call the target instrument and be forwarded to the long-distance number, thereby gaining free long-distance access.Attendant Conferencing
Attendants may also have the ability to initiate a conference or join into an existing conference. If this feature is available, the potential exists for an adversary logged in as an attendant to eavesdrop on a conversation or add an additional party to a conference without the knowledge of the other parties.
Automatic Call Distribution (ACD)
ACD allows a PBX to be configured so that incoming calls are distributed to the next available agent (e.g., reservation clerk) or placed on hold until an agent becomes available. Agents may be grouped together with each group having a supervisor. The group of supervisors may then even have a higher-level supervisor. The number of supervisors and number of levels of supervisors is dependent on the type of PBX being used.
Most ACD systems grant a supervisor the ability to monitor the calls of the group they are supervising. Because of this feature, ACD systems are a potential vulnerability to the users of PBX. If an adversary could gain access to the configuration tools or the system database, they could become an ACD supervisor and set up an ACD group. The supervisor could then monitor the calls of any of the users in the group.
Account Codes/Authorization Codes
Account Codes are normally used for tracking calls made by certain people or projects so that bills can be charged appropriately. For example, a user may be required to enter an Account Code prior to placing a long-distance call. Depending on the configuration of the PBX, the Account Code may have to be on a list of approved codes for the call to be successful. If this is the case, the Account Code may be considered an Authorization Code because the user must dial a specific Account Code that is authorized for making long-distance calls.
Another important use for Access Codes is for Dial In System Access (DISA). DISA typically allows a user to dial in to the PBX system from an outside line and gain access to the normal features of the PBX, almost as if they were a subscriber on the PBX instead of an outside caller. This feature is typically used to allow employees to make long-distance calls from the corporate PBX while out of the office by dialing in to the switch, then entering a code to make long-distance calls. It is easily abused by anyone with the authorization code, possibly leading to large fraudulent long-distance charges.
Certain Account Codes may also be allocated for changing a userís Class of Service (COS). When the COS is changed, the user may have access to a different set of features. For example, most instruments may be assigned a COS that does not permit the use of an Override feature, but a special COS that is only accessible by using an Account Code may be created that does permit the use of Override. By using the Account Code, an adversary could then gain access to the Override feature.
Since the Account Codes are used for billing, there are records kept of the calls that are made for the various Account Codes. These records generally include the source, destination, Account Code, and time/date of the call. The records may be stored as files on one of the systemís disks or they may be printed out on a system printer. If the records are printed, an adversary who is able to gain access to the printer will have access not only to traffic information, but also to the printed Account Codes. Once the codes are known, the adversary will be able to use the codes for toll fraud, additional feature access, etc.
An Override or Intrude feature is common to many PBXs. Due to its potential vulnerability, it is commonly selectable as a feature that can be allowed/disallowed on a single instrument or a group of instruments. Override is intended to allow one user (perhaps a supervisor) to break into a busy line to inform another user (perhaps a subordinate) of an important message. This feature could be used by an adversary with access to any instrument permitted to use the Override feature to eavesdrop on conversations. The PBX should provide for some protection against such uses of Override by providing visual and/or audible warnings that an Override is in progress.
In addition to the major diagnostic features available at a maintenance terminal or Attendant Console, many PBXs provide diagnostics that can be initiated from any instrument. These diagnostic features may permit a user to make connections through the PBX by bypassing normal call processing restrictions. An adversary with access to these diagnostic features may be able to deny service or make undetected connections allowing for the monitoring of other calls.
With the advent of the digital PBX and its wealth of features, the interaction between features presents a significant possibility for vulnerabilities. For example, in some systems the return-call and camp-on features can be manipulated to defeat caller-ID blocking. With the large number of features available in modern PBXs, it becomes difficult for the manufacturer to consider all of the ways in which different features may interact. Because of this, vulnerabilities may exist that were undetected by the manufacturer that allow an adversary unwanted access to the PBX and its instruments.
Since the actual Feature Interaction vulnerabilities found on a specific system depend heavily on the particular implementation of the features, it would be nearly impossible to describe every possibility for a generic system. NIST SP 800-24 includes detailed examples of some feature interactions.
One of the biggest new developments in telecommunications is the advent of computer-based telephony systems (CT). As microprocessor speeds have increased and memory prices dropped, it has become possible to implement a PBX on little more than a high-end PC. A CT system typically requires only the addition of specialized voice processing boards to an ordinary office PC with 64 MB of memory, a 3 GB disk, and a 300 MHz processor. Some CT systems use specialized real-time operating systems, but the trend is toward commercial off-the-shelf systems such as Windows, Linux, or other versions of UNIX. This development has brought great reductions in the cost of PBX systems, but means the possibility of enormously increased security risks. Two factors in particular can increase exposure: greatly expanded integration of telephony with the computer network and implementation of PBX functions over operating systems with widely known vulnerabilities. Some of the features appearing in new CT systems include:
A complete exposition of the risks of CT systems is beyond the scope of this document. The safest course of action is to assume that most or all of the vulnerabilities described here apply to CT systems as well as traditional PBXs. CT systems may also have added vulnerabilities resulting from well-known weaknesses of PC operating systems. Future NIST publications may address CT security issues in more depth.
Not all of the security measures described in this bulletin will be applicable to every organization. The first step in improving PBX security is to assess the organizationís current telephony applications. This bulletin describes important areas to consider. Following this assessment, NIST SP 800-24 can be used in conducting a detailed evaluation. SP 800-24 also includes a set of baseline security considerations for PBXs and a more complete set of countermeasures for common vulnerabilities.
NIST SP 800-24, PBX Vulnerability Analysis, National Institute of Standards and Technology, 2000.
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.