The Mathematics Behind Hacking Telephone Systems

Introduction
In today's business environment, security is of vital importance. This importance
extends to voice networks just as much as data and the risks of a security breach are
growing daily. In this document we detail some of the reasons behind the increasing
popularity of Toll Fraud.

The main reason for the increase in Toll Fraud instances is simply because, from the
hacker’s perspective, his is a low risk high profit crime.

Low risk because you, the target, probably will not notice, for quite some time, that
you have been attacked.

Low risk because, when you do notice the attack, you will not know what to do about
it.

Low risk because when you do report it your PTO (Public Telecom Operator)
probably will not know what to do about it.

Low risk because your telephone system maintainer probably will not know what to
do about it.

Low risk because the hacker has daisy chained several hacked systems together
making it virtually impossible to find out where he started from.

High profit, because you can generate THOUSANDS of pounds per system per day.

And there is one final reason;

It is generally very easy to do…………………

Voicemail and Automated Response Systems

Many modern telephone systems offer both build in Voicemail and Automated
Response Systems

Voicemail, so that when you are away from your desk you don’t miss your messages
and Automated Response to tell your customers that you are closed when you have
gone home.

Both of these are normally protected by a PIN number.

Generally, this will be a four digit PIN which is more than sufficient because;

1/. That’s what the telephone system has

2/. It’s good enough for your credit cards

Well, there is a quote from a hacker that goes along the lines of;

“I don’t care how much money, time and effort you put into the best security system
in the world – It’s only as good as the first one of your idiot that uses 1 2 3 4 as a
password!”

From this, we can deduce that some PIN numbers are not as good as the others;

1234

4321

1111

2222

3333

4444

1937 (The four corners of a keypad)

2580 (The line down the middle of a keypad)

1 9 0 0 to 2 0 1 0 (Possible Birthdays and Anniversaries)

1066 (Historically significant dates)

The default system password (Can be found on the internet)

Have you seen your password yet????

Cracking PIN Numbers
So, how long does it take you to enter your PIN number? I would suggest 5 seconds
or less.

Now lets explore some mathematics………………..

If you have a four digit password the maximum number of permutations is 9999.

If it takes 5 seconds to enter one permutation, the amount of time taken to enter them
all would be;

9999 X 5 Seconds = 49995 Seconds

833.25 Hours

34 Days

So, you can now sleep easily in you bed, because you change your password every
month and your password would be the last one that was ever tried.

But, wait a minute, how many voicemail ports does your telephone system have?

Maybe 4 that means that we can now run four simultaneous attacks, so that quarters
the time;

(9999 X 5 Seconds)/4 = 12498 Seconds

208.31 Hours

8.6 Days

Still pretty safe, unfortunately though you bought a nice modern system with 20 port
voicemail and now what we are looking at is;

(9999 X 5 Seconds)/20 = 2499 Seconds

25 Minutes

Still sleeping soundly in your bed…………….

Still, even if someone does get into your voicemail, how bad can it be??????
Theoretical Voicemail Hack
On Friday your business closes at 17:00

At 17:01 a hacker breaches your system and starts to generates outgoing telephone calls

Each of these calls is to a premium rated telephone number.

You discover the hack at 09:01 on Monday morning (as you return to work).

The duration of this hack is 3,840 minutes,

Therefore;

£ 1.00 (p3 UK premium rate) per minute premium rate = £ 3,840

£ 1.25 (p33 UK premium rate) per minute premium rate = £ 4,800

£ 1.50 (p0 UK premium rate) per minute premium rate = £ 5,760

However, you have twenty port voicemail generating twenty calls; the actual figures could be;

£ 1.00 per minute premium rate = £ 76,800

£ 1.25 per minute premium rate = £ 96,000

£ 1.50 per minute premium rate = £ 115,200

And if you are lucky enough to have bought 30 port voicemail;

£ 1.00 per minute premium rate = £ 115,200

£ 1.25 per minute premium rate = £ 144,000

£ 1.50 per minute premium rate = £ 172,800

It’s a good job that’s only theoretical…………

Real World Examples
PBX toll fraud is a $12 billion a year industry, Canada alone accounts for about $30
1
million while the United States counts for about $ 4 Billion. (UK Figures not
available).

Scotland Yard over 18 Months 6 £ 1,000,000

Duxbury Library 2 $ 15,000

Homeland Security 9 $ 12,000

Legrand Software in one night 8 $ 1,800

Hub Computer Solutions 7 $ 50,000

Irish Department of Social Welfare over one weekend 3 € 300,000

Perpetual Trustees (Australia) over two months 5 $ 600,000

Perpetual Trustees (Australia) on one day 5 $ 80,000

Plastic Plumbing (Australia) over three months 5 $ 50,000

Three Filipino residents 4 $ 55,000,000

UK becomes a global top 5 communication fraud hotspot

Source

1. Bell Communications
2. The Boston Globe
3. Silicon Republic
4. Washington Post
5. Risk Management Magazine
6. Comms Dealer Volume 10 Issue 8 August 2005
7. Wired
8. ZDNet
9. CBS News

What should you do next?

Simply contact either your system maintainer or a specialist PBX security company
and enquire about a telephone system vulnerability analysis.

And don’t expect this to be a one off fix. Software upgrades, new bugs and
programming changes mean that this is a service which will need to be repeated at
least annually to be of any value.