Default Passwords Blamed In $55M PBX Hacks

An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."

Re:Which one was it?

[mail2345]

Article: mainly by exploiting factory-set or default passwords on the voicemail systems
So, linksys?

Re:$55 million

[bruce_the_loon]

You are forgetting the reciprocal costs of phone calls. You break out of the network to another telco, most of the time there are costs per minute. You pay for access to the circuit. Add international calls to this and the numbers climb.

Most telcos have reciprocals in place that say if Telco A made 1000 minutes of calls to Telco B, and Telco B made 1000 minutes to Telco A, they call it quits. Now if A made 1000000 minutes to B, B wants its money. And A has nobody to send the bill to because they were stupid and didn't change the passwords.

Privacy? What privacy? (use encryption folks)

[operator_error]

Wait! before I thought only the NSA by statute and Google (because Google is truly eViL by supplying the NSA (& NASA!) with technology & staff), could listen to my phone calls, transcribe, translate, & index them into perpetuity. But now I'm reading the Italian mafia can listen in too?

Of course this explains why the Italian mafia learned awhile ago to encrypt their own calls. On the job training if you ask me.

FWIW, there's an asterisk module for pretty good privacy: http://www.zfoneproject.com/prod_asterisk.html [zfoneproject.com]

http://www.securitymanagement.com/article/new-voip-encryption-challenges-005680 [securitymanagement.com]

Why not?

Re:Which one was it?

[infolation]

actually the DoJ papers say the PBX systems were Nortel, Lucent, Bizphone and Panasonic

Re:Hacking?

[Thundarr Trollgrim]

"trespassing is trespassing"

Now that we have the glaring truisms out of the way... That is entirely irrelevant. The parent was stating that it was not hacking; hacking and trespassing are not the same thing, although one may include the other.

Re:Hackers, hacks ??!?

[dns_server]

"Hacking" laws are generally written with that language.
The COMPUTER CRIMES ACT 1997 has as section 3. "Unauthorized access to computer material."

Its probably a DISA hack

[wintermute000]

Guys its probably a DISA they discovered NOT CLI ACCESS TO THE PABX.....

Many PABXs have a feature where a specific incoming extension (DISA) is configured to allow calls to be re-routed from the PABX if you enter the correct PIN.

e.g. you dial into the secret number, enter the secret PIN, then from there you have full access to the PABX's destination codes.
so e.g. if your DISA extension is 333-88888, and PIN is 12345, and you dial 0 for external, then dialling this would work: 333-88888-12345-0-(number you want to dial). The call would then be originated from the PABX instead of the caller.

This is mostly used for troubleshooting because in PABX tie line networks your number codes determine how your calls route, with complex tie line networks you end up with destination codes upon destination codes which require a lot of thinking to get right as its basically a huge, layered sequence of static routes.

Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.

Re:That's a spicy meatball!

[sumdumass]

So I wonder how many of them are still having PBX systems with the ability to call in and dial out via an 800 number?

I would say quite a few. I have noticed that a lot of VoIP systems are added-on instead of replacing older phone systems. They also already have the copper and it's cheaper to purchase lines by the bundle then to separate them.

BTW, large businesses would connect different campuses across a T1 point to point connection(s) before VoIP was around. Basically, the software/hardware in the phone system will use a channel on the T1 line as a phone line and allow the cross campus communications including passing inbound calls to the other facilities (one 800 number for 10 facilities across 5 states.) You can get 24 voice channels from one t1 line too. This also cuts down on long distance because you can program it to call out on the loop closest to the call termination. This means that if your in Buffalo NY and a customer is in Orangevale California and you have a branch office in Fair Oaks, it will be a local call for you. Some long distance telecoms offer T1 loops directly to their long distance center eliminating much of the costs in a normal switched call. That means they would be paying about 1/3 of what normal people would pay if you didn't consider the costs of the T1 loop.

VoIP has basically gotten around the T1 costs (you need one for each location). Some switched networks already use VoIP on controlled backbones to consolidate long distance calls as the telecoms saw the savings way before it was economical for normal people to play with it. VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

Re:Feh.

[DNS-and-BIND]

Actually a lot of organized crime funds terrorism. I'm sure on your travels in SE Asia, you didn't see any so obviously it doesn't exist [gulfnews.com]. If it seems absurd to you, then we're sorry and will try to let reality intrude less next time.

Re:Hackers, hacks ??!?

[Dare nMc]

The last PBX system I did has the default admin password but, 1) it is behind NAT 2) behind firewall 3) truck to main office is wrapped inside the VPN (VPN not default password).
Likely they need a bot net to scan ports, or some social engineering to find their way inside the networks. another option is to trick the box into accepting a second trunk. The last possibility is they placed calls, and knew which keys to get, or which modem type capability's to try and exploit, so have to take several guesses at which system they are hitting.
Even having dealt with many PBX's, it takes considerable effort on most of them, even with full access, to get these non-standard call in and be able to call back out... (available feature on many systems, but not a standard line setting, that needs enabled/setup...)

Re:That's a spicy meatball!

[fluffy99]

VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

If you definite a "good quality call" as the same quality as a POTS line, then VOIP G.711 (no compression) actually requires more bandwidth as it adds control signaling and you end up needing 80k instead of a single 64k channel per call. It also introduces more timing issues as ip doesn't guarantee timely or orderly deliverly of the packets. If you use a lower quality compression codec line G.729 you can reduce the bandwidth down as far as 8k data and 8k control, but at the expense of reduced voice quality - making it sound like a poor cell phone call.