The 5 Most Common PBX Hacking Methods & How to Counter Them
When it comes to preventing cyberattacks, one rule towers above all others: Anything connected to the internet can be hacked.
Given how internet telephony has become the standard, a PBX (private branch exchange) is now no different. VoIP is the way to communicate today, and it’s likely to remain so. But with this move, that golden rule of cybersecurity rears its head: now, phone systems are susceptible to attack from any location, at any time.
In fact, PBXs have long been a veritable holy grail for cyberattackers, precisely because many consumers simply don’t consider the possibility that they can be attacked. In 2021 alone, hacks on PBXs cost businesses $1.82 billion worldwide, making it one of the most damaging forms of cyberattack in digital communications.
That means any time businesses think about PBXs, feature sets and business outcomes can no longer be the end of their considerations. Deserving just as much (if not more) thought is the matter of security: To what extent is this system vulnerable? How effectively can it ward off attacks?
To better consider this question, let’s take a look at the most common ways that modern PBXs are hacked, as well as the ways to thwart these efforts.
1. Brute Force
This is a method that is by no means exclusive to PBXs. However, it remains an effective one, mainly due to a lack of security awareness in internet telephony.
The brute force method of hacking refers to trying to “force” a login of a given system; hackers will pull a known username and, for the password, go through system defaults and then most common phrases.
If hackers are successful in this approach, the fallout for businesses is catastrophic. Hackers logging into a PBX as an administrator means they can now control all telephony operations for your business — most commonly, using your phone to make long, expensive calls on a constant basis.
2. Social Engineering
One to be on the lookout for in general, social engineering is when a cyberattacker attempts to convince a target to willingly hand over their login credentials. Typically, hackers will do so by sending victims emails or calls convincing them that they’re someone trustworthy (often a fellow colleague) — which, of course, ends with a plea for your username and password, please and thank you.
We already covered a lot of how social engineering works in our previous post about phishing. But it’s worth bringing up specifically for PBXs because this is a common tactic for this area of hacking specifically: if a cyberattacker isn’t willing to brute force your login info, they may instead pretend to be a technician, an employee, a government employee or some other figure who desperately, desperately needs to pop into your PBX as an admin.
Again, if a cyberattacker gets ahold of those credentials, it’ll spell loads of trouble for the business involved, amounting to anything from thousands of dollars in excess phone bills or a total hijacking of your network. Of course, still worse scenarios can unfold: Imagine what would happen if they rang up customers as you, asking them to transfer money for (phony) goods or services to an uncontrolled bank account? Dire as it sounds, it’s just as possible if the wrong hands gain access.
3. Denial of Service (DoS) Attacks
You may have heard about this one in web-specific contexts, but rest assured, it’s a threat targeting PBXs as well.
A DoS attack is, in essence, an attempt at rendering a system inoperable by flooding it with too much traffic. For PBXs, this means a seemingly endless number of calls or access requests, likely generated by bots and computers controlled by malware. Under the strain of these thousands of simultaneous requests, the PBX effectively shuts down, overloaded by the sheer volume of traffic and thereby rendered unable to address any of them.
Obviously, this method of hacking isn’t dependent on deception, unlike the last two. Since PBXs are typically designed to accept calls and web traffic from just about anywhere, all a cyberattacker needs to launch a DoS attack is a phone number or a login page.
Given that easy premise and its potentially debilitating results, it should be easy to understand why this is one cyberattack method to be especially aware of.
By that same token, if your PBX isn’t properly secured, cyberattackers likely don’t even need your PBX’s login credentials at all to wreak havoc.
If PBXs don’t follow proper security protocols, they can be left open to eavesdropping from outside listeners, even ones who don’t know any of your admin credentials. Effectively, with the right means of attack, a hacker can sit in on any communications made through your PBX — potentially even altering those messages before they reach their target.
Most commonly, this is done via what’s called a man-in-the-middle attack. Here, the hacker places themselves between the two communicating parties by telling the PBX that they, in fact, are one of the two legitimate speakers. In this “middle” position, the hacker will intercept messages as they arrive, then pass them along to the other end. Effectively, this attack allows bad actors to listen in on conversations without either side’s knowledge.
The danger presented here should be obvious: If you’re discussing confidential information over the phone, you might actually be leaking it to an unknown third party. And yes, as said earlier, since the titular “man in the middle” is accessing all your messages before the other party receives them, it’s also possible that they can be altered (usually as a way to get financial information or login credentials).
PBXs that aren’t built to address attacks of this nature may very well be leaving your conversations open to theft, literally in real time.
5. Unprotected Ports
Similarly, PBXs can be accessed by unauthorized users if certain outbound channels called “ports” are left unsecured on the device.
Usually, these ports are kept secured by digital firewalls that keep out unauthorized entrants. But sometimes, these firewalls can be left open or otherwise unprotected. If that happens, it’s open season for cyberattackers.
Once in through an unprotected port, cyberattackers will most commonly root around in the PBX for user information: customer databases, passwords, anything confidential. Worse, from inside the PBX a hacker can even access a connected modem and, from there, a business’s entire network.
Another grim possibility is if a cyberattacker uses this point of entry to set up a new extension on your PBX, basically adding themselves to your phone plan on their terms. Without effective protections, it’s simple for uninvited guests to take up a long residence in your PBX — and from there, even in your local internet network.
But what’s in it for the hackers?
Of course, this extensive list of hacking methods might leave you wondering how exactly hackers are set to benefit from breaking into your PBX. It seems a lot of trouble to go through if they’re just seeking disruption or making random people’s lives miserable.
In general, the answer comes down to cold, hard cash.
Hackers most commonly make money here through those aforementioned long, expensive phone calls. Remember how they usually will contact seemingly random pay-per-minute phone lines? Well, take a wild guess who actually owns those expensive numbers.
Yep — it’s typically either the hackers themselves or someone aligned with them.
With this strategy, an unprotected PBX is effectively an unlocked bank vault to cyberattackers. If they can get a call from your telephony system routed to their number, they will quite literally siphon cash from your business’s accounts through the phone.
Alternatively, hackers will often exploit PBXs to place spam phone calls. If you’ve ever been called from an unknown number about “your car’s extended warranty” or owing some unexpected amount of taxes, you already know this routine: A prerecorded voice informs the listener they need to pay up for some threatening reason or another, then demands financial information.
To get an outbound number — and to keep themselves anonymous — cyberattackers often take over existing PBXs to place these robocalls. While this practice won’t directly impact a business financially, it’s still (to put it lightly) bad press to have one of your company numbers be involved in a thoroughly annoying and fully predatory scheme.
Another possibility is hackers may simply break into a voicemail account to comb through the messages left there, usually to seek out personal information or full-on passwords mentioned. While less common, this strategy can easily lead to devastating results if cyberattackers actually find usable terms and numbers.
One way or another, cyberattackers will come after money by breaking into your PBX, and they’ll get it fully at your expense.
Recouping after suffering one of these attacks is extremely difficult. Phone carriers are rarely willing to waive fees racked up by PBX cyberattackers, and even publicly acknowledging a digital break-in can do serious harm to a company’s image.
All told, it’s far better to simply keep PBX attacks from occurring in the first place. That takes a proactive approach to security, a full awareness of the threats and how they find success, and a good deal of technical know-how.
Fortunately, this is made significantly easier just by working with a smart PBX vendor.
First, to prevent brute force hacking and related methods, it’s vital that the VoIP system requires passwords be changed after installation. Although this is easy enough to cover manually, if creating a powerful password is necessary from the word “go” it does even more to prevent security issues in the first place. Enabling two-factor authentication (2FA) likewise will do much to prevent unauthorized access.
Protection against DoS attacks is also achievable through a system that blocks specific sources of traffic if they attempt too many calls or logins. By simply not responding to incoming requests when it’s clear there are a purposefully excessive number of them, the PBX can remain online and usable even when under attack.
A PBX can also be protected from unwanted access via IP address or open ports through smart design. Layering security into the PBX through measures like blocks on the system’s public IP address will prevent unauthorized entry. Likewise, built-in firewalls for the device will keep out cyberattackers hunting for a gap.
In addition to these steps, it’s vital that a PBX have additional security measures in place in case any of these initial firewall and blocking methods are breached. One of these is to use a multi-tier approach to PBX design — that is, separating sections of the PBX to not make all data on it accessible from one entry. Additionally, using up-to-date encryption measures, especially TLS 1.2 or beyond, will further stop external parties from breaking or listening in.
Wildix uses these security measures and many more to ensure each PBX deployed is entirely secure by design. Read how this online safety is achieved in full detail with our free white paper.
However you use telephony, now that it too has become a part of the internet, it’s crucial to approach it with the same need for security as you’d give any other device. On top of being aware of who’s getting what information, businesses have to take the proper steps of securing PBXs and how they connect to others.
For more tips on tech and security, subscribe to receive our magazine for free!