Not so long ago, phone and CCTV systems worked reliably over their own wires, isolated from an organisation’s data...
We are trying to educate the market, and show the issues around the threats.
Ian Kilpatrick, Chairman, Wick Hill Group
But that is changing fast with Voice over Internet Protocol (VoIP) telephony and IP-based CCTV. These systems use the same data lines and protocols as the data network, making them cheaper to run and easier to manage. But, in the process, they are now prone to the same threats as the corporate data network.
To prove the point, distributor Wick Hill Ltd. will demonstrate at Infosecurity Europe how easy it is to hack into VoIP and IP-CCTV systems, and carry out damaging attacks.
Wick Hill Chairman Ian Kilpatrick said the problem exists because of a general lack of awareness of the dangers. Companies that once sold and installed analogue systems have moved on to the digital generation without fully appreciating the new dangers, he said.
“Vendors of Voice over IP phone systems and IP/CCTV are still playing catch-up when it comes to security, because it was never much of an issue when they were still in their analogue days,” he said. “Some PBX vendors even deny there’s a problem, and claim everything is safe.”
Many of the threats are based on old-fashioned toll fraud, where calls are channelled through the digital private branch exchange (PBX) to premium-rate phone numbers, usually overseas. But VoIP security risks can also include eavesdropping on calls, call interception, the altering of billing records, denial-of-service attacks and the hijacking of PBXs so criminals can sell minutes on to their clients.
Furthermore, the digital PBX can provide hackers with an undefended channel to the data network. “If I can break into your phone systems, there will be a bridge to the data network. That bridge is behind the firewall and is typically undefended. It is not perceived as risky,” Kilpatrick said. “The biggest problem at the moment is the lack of awareness of the problem, as with all security.”
Similarly, he said that if hackers can break into a CCTV system, they can effectively turn it off, or get it to replay old footage while a crime is happening.
Kilpatrick will run three demonstrations of how the attacks could take place -- one against a CCTV system, another against a digital PBX, and a third wherein calls are intercepted and recorded. In this third scenario, if hackers could secretly record customers giving credit card numbers over the phone, organisations would be exposed to fraud, and be in serious violation of the Payment Card Industry Data Security Standard (PCI DSS).
“This is real; it’s not a hypothetical threat,” Kilpatrick said. “We are trying to educate the market, and show the issues around the threats.”