Toll-Free PBX hack highlights need for code auditing

Toll-Free PBX hack highlights need for code auditing says Fortify

September 2009 (Eskenzi PR) - Reports that a North Carolina business has been left with a $2,500 phone bill after phone phreakers hacked its PBX via the firm's toll-free (freephone) number shows the danger of failing to audit all aspects of a systems' software, says Fortify, the application vulnerability specialist.

"What this case shows is that, although the PBX supplier may have verified the security of the front line telephony interface on its PBX systems software, the hackers were able to break in via the side door effectively offered by the toll-free number," said Richard Kirk, Fortify's European Director.

"This is because a growing number of toll-free service providers support access to the direct dial inwards (DDI) numbers seen on the PBX systems of small-to-mid-sized enterprises," he added.

And, says Kirk, since these DDI numbers are mapped directly on to PBX extensions, the security levels on this side door method of access is often a lot less than the front door, the firm's main telephone number.

Of course, he explained, what makes matters worse about this hack is that the firm ended up paying for the hackers' incoming calls to its toll-free number, as well as the subsequent calls to foreign destinations.

According to the Fortify Director, the case proves that hackers can - and will - exploit the weakest link in the security of any public-facing computer system, whether that system if it is Internet or telephone network-facing.

"It's therefore vitally important for any code developers working on such a system, whether it's PBX systems software, or an e-commerce application, to secure the side door entrances, as well as the front entrance," he said.

"Just because the side door is not directly accessible at the moment, does not mean it won't become accessible at some time in the future, as new features and services are added to the software. Code auditing requires the use of lateral thinking in this regard," he added.

For more on the toll-free PBX hack: http://preview.tinyurl.com/mo876o

For more on Fortify Software: http://www.fortify.com

<>