News

Breaking into voicemail systems is a ‘trivial task’

Bill Goodwin

Businesses are placing themselves at risk because they are failing to secure their internal voicemail systems from hackers.

Criminal gangs are exploiting poor security on company voicemail systems to snoop on confidential information or to make long-distance phone calls at the company’s expense, according to security experts.

In some cases groups have profited by selling phonecards programmed to dial into company voicemail systems to make "free" international calls, said Andy Zmolek, senior manager

for information security at network specialist Avaya.

"There have been cases where companies have lost £750,000 in a weekend. In many cases it is through improperly configured voicemail," he said.

The tendency for staff to use default or easily guessable voicemail passwords means it is a "trivial task" for hackers to break into most company voicemail systems, a white paper from security firm @stake said.

During one audit on a large consulting company in the US, @stake was able to access seven out of 51 voicemail boxes belonging to senior staff.

"We compromised a high-ranking executive’s voicemail, which contained a goldmine of critical data, some of which was related to merger negotiations," it said.

Once inside the voicemail system, hackers can exploit call forwarding functions to make free calls or transfer to internal modems to access IT systems, unless there is adequate security.

Criminals can also exploit disused mailboxes belonging to former staff members to exchange messages with each other or to make free calls.

Peter Sommer, security expert at the London School of Economics, said, "It is a relatively trivial exercise to hack into a voicemail system, but from a hacker’s point of view, most of what is harvested is completely uninteresting."

Countermeasures

l Limit the number of access attempts

l Use longer passwords

l Change default passwords immediately

l Use secure voicemail passwords

l Restrict call transfer functions on voicemail and other PBX functions

l Do not leave confidential information in messages.

Source: @stake


 

COMMENTS powered by Disqus  //  Commenting policy