Keeping IP PBXs Safe From Hackers

Hacking may be one of the dangers most inherent to IP PBXs that few people in the channel are willing to talk about. After all, if a customer’s system is infiltrated and thousands of dollars’ worth of fraudulent phone charges racked up, a partner stands a good chance of being sued. And if your liability insurance isn’t up to snuff, you could lose everything.

That almost happened to Michael Dennenberg. Dennenberg is president of Gulf Telecom, a Houston-based interconnect he founded in 1984. Not long ago, three of his biggest customers a towing service, a collision shop and a real estate firm became the unwitting targets of hackers later traced to China. The perpetrators had penetrated the users’ open-source IP PBXs and, in one case, made $20,000 worth of international calls. At the same time, the hackers had hijacked the bandwidth used for the IP PBXs to “boomerang” data, or rebroadcast it. In general, the hackers were sending porn that appeared to have been sent by the companies in question. Once Dennenberg learned of the problems, he shut down all of Gulf Telecom’s IP PBX sales. “We didn’t sell another IP PBX for another six months,” Dennenberg said. Instead, the company spent the intervening weeks figuring out what do to.

The first task was to wrangle with the phone companies. One of Dennenberg’s customers was hit with a $900 phone bill for foreign calls. But that client got lucky because they had specified with the service provider that no international calls were to be allowed. The phone company ate the charges because of its oversight. When it came to a $20,000 bill, however, Dennenberg had to file a claim with his liability insurer. He avoided a lawsuit and his customer didn’t have to pay for fraudulent charges.

From there, Gulf Telecom had to determine the best way to keep its customers from ever being hacked again. “We thought we were using a market-ready product,” Dennenberg said. But, as a legacy PBX interconnect, there were aspects of IP and open-source that Dennenberg didn’t know to address. “We became introspective and realized that we needed to do more homework before we released something to our customer[s], so it was kind of a ‘shame on us’ type thing. … I realized that we didnt act as thoroughly as we should have when it came to protecting the systems.”

Dennenberg sells open-source platforms and two of the three hacked customers were using Digium‘s Asterisk. For its part, Digium responded right away to an inquiry about IP hacking problems. “Digium is diligent about handling potentially exploitable errors in the Asterisk code base,” said Steve Sokol, Asterisk marketing director for Digium. “When issues are reported, Digium and the Asterisk community quickly provide patches that mitigate the potential for exploitation. For all released versions of Asterisk we provide an additional year of security issue resolution … beyond the sunset date for the release. No software system is perfect, but both Digium and our community partners take security very seriously and there have been few if any serious issues that have resulted from code flaws.”

Requests for comment from some IP PBX makers in addition to Digium were not returned.

Next, after conducting some research, Gulf Telecom set about plugging holes in the IP PBXs. The first step was to hire a developer with IT experience. “That’s what was missing we were so focused on the telephony side that we completely overlooked … the IT side, the security side,” Dennenberg said. “We brought in the big guns and made our systems bulletproof.”

So far, so good. To that point, here are some best-practices tips, from Dennenberg, Digium and an anonymous partner, for keeping your customers’ IP PBXs safe from hackers:

Set up clients’ systems on a private network.

Narrow call paths down to one or two, and do not include international calling. If your customer must make international calls, recommend the business use a prepaid method or set aside a trunk for international calling only.

“All of this is system security 101, and this is normally enough to protect customers from bad guys,” Sokol said. Still, thorough measures may not deter all hackers. “No matter how good you are at this stuff, people are involved, people will make mistakes and people will find holes,” said one channel partner, whose customers also have been hacked, speaking on condition of anonymity. The failsafe at that point? Have strong liability insurance coverage, the partner said. “Nothing will drive you out of business faster than [customers’] big bills.”